Possible RSS Abuse in Longhorn 214
dMill writes "There has been a lot of discussion about Microsoft's decision to bake RSS into Longhorn (see previous Slashdot coverage) but the obvious security implications seem to be on the back burner. eWeek has a story discussing the risks and Don Park is also warning about the potential for abuse and exploitation. For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."
Worse than worms?!? (Score:5, Insightful)
Worse than worms?!? Worms can get into your system, slave it, erase or steal data, slow it down, advertise to you, and any number of other things! What's worse than lost data, identity theft, popups, and a slow computer? Strangulation via TCP/IP?
~Will
Re:Worse than worms?!? (Score:3, Funny)
I'd rather have the worms than Hepatitis and UPIAs in the shower.
Re:Worse than worms?!? (Score:2)
Re:Worse than worms?!? (Score:4, Funny)
Re:Worse than worms?!? (Score:2)
Don't worry, there'll be an RFP for that soon.
Re:Worse than worms?!? (Score:2)
Re:Worse than worms?!? (Score:2)
Tapeworm Contagion Protocol/Infestation Protocol
Hey, if we filter RSS packets for the IP Evil Bit [faqs.org], we should be safe, yes?
OS X (Score:5, Insightful)
There is a big difference between RSS being a security risk and a bad implementation of an RSS reader and poor security model being insecure.
Re:OS X (Score:3, Informative)
Re:OS X (Score:2)
1. Define "OS Space".
2. What on Earth makes you think Microsoft will put an RSS reader into kernel space in Windows ?
Re:OS X (Score:3, Insightful)
Hate to break it to you, but IE is no more "integrated" into Windows than Safari+WebKit+WebCore is into OS X.
There is zero reason to believe a Microsoft RSS "reader" will be any more "integrated" into Windows than the OS X one is into OS X.
Re:OS X (Score:3, Insightful)
See, even seasoned sysadmin pros can be wrong.
Linux boxes get owned every day of the week, just like any other box with exploits available.
The perception of security has *nothing to do* with the actual security.
Re:OS X (Score:2)
The number of times a system is exploited is not not a valid measure of its security.
People don't steal cars because there are lots of them.
Which cars are more likely to get stolen - the ones 95% of the population own or the ones 5% of the population own ?
Re:OS X (Score:3, Informative)
I don't mind at all, in fact I used it as a test to see if you knew much about the scene on which you are trying to comment. File eXchange Protocol http://en.wikipedia.org/wiki/FXP [wikipedia.org]
It is used by warez traders. One can transfer files between two FTP servers without any having to come to you first. One owns a (usually Windows) box, creates hidden directories with directory names that are untypeable at the terminal (using special characters) [the _vti direct
Re:OS X (Score:2)
Re:OS X (Score:2)
If you don't think Slashdot is a MS haters club, then you're nust kidding yourself.
Re:OS X (Score:3, Interesting)
What has surprised me is that in the last year or two, I've noticed a real change around here. Now if you post something knocking Microsoft, you are equally likely to get modded to oblivion as modded up. Since Microsoft hasn't changed, I can attribute this shift to one of two things:
1. Lots of new people reading /. who don't know (or don't care) ab
Re:OS X (Score:4, Informative)
The shift is because of all the sensationalistic bullshit Slashdot's been stoking for the last few years. Noone can really judge from reading Slashdot whether or not MS really is shady. Because everything MS does is bad, even if your favorite company does the same thing. A Linux distro intentionally infringes on MS's trademark? It's Microsoft's fault. Security flaw in IE? It's time to switch. Security flaw in Firefox? This is proof we should stay with Firefox. Microsoft decides to discontinue support for Windows 98? MS is evil for forcing people to upgrade. Microsoft decides to continue support for Windows 98? MS is evil for keeping that insecure OS around.
You don't have to be an MS astroturfer to be sick of the bullshit and often outright fiction that the Slashdot community post about MS. Why would I care? Because I love Microsoft? Heh no. Not even close. If Slashdot posted a story right now about MS truely doing something evil, it wouldn't be anymore credible to me than Rush Limbaugh's criticism of a democrat. Slashdot's cried wolf too many times.
Slashdot's lack of credibility about Microsoft is not a result of astroturfing.
Re:OS X (Score:2)
Re:OS X (Score:2)
What would be the motivation for people suddenly liking Microsoft if they 'haven't changed'?
Re:OS X (Score:2)
Cash. That's how astroturfing works. You hire a PR agency with cash and voila! You have hired people to say nice things about you, or try to obscure the words of others who say bad things about you.
Re:OS X (Score:2)
Heh. I wish MS would pay me to dispute the FUD spread against them. Not sure why else I put up with some of the thick headed people here who still think the borg icon is funny.
Re:OS X (Score:4, Informative)
I will take you at your word that you are a decent guy and that your query was genuine. Can I dislike Microsoft while still liking individuals who work there or who work with their products? Sure. Just as I can criticize the actions of the government while being good friends with my neighbor Joe Civic Servant down the street. We are all familiar with how groups of decent individuals can come together in an organization that then causes them to act in ways that perpetuate the organization, even if those ways wind up being bad.
Has Microsoft changed? I don't see much of a change. Their attack on Linux hasn't gained much traction, so in recent months and years they have occasionally tried the carrot instead of the stick and said nice things about Open Source and Free Software. But since the GPL is antithetical to their business model, it seems to be just words. Their actions continue to show that they have not changed.
I spent 15 minutes with Google to come up with some recent relevant examples that show their current attitude. Is every story below accurate? Maybe not. But when there's that much smoke...
Ballmer: Linux violates patents; use it and you will be sued by somebody [theregister.com]
MS Office XML Format licence is incompatible with the GPL [yahoo.com]
HP Memo: "Microsoft will soon be launching a patent-based legal offensive against Linux" [newsforge.com]
Microsoft using the WTO as a proxy to fight free software [theregister.co.uk]
Microsoft's antitrust offering 'blocks Samba' [zdnet.co.uk]
Microsoft's New Monopoly [newsforge.com]
Microsoft remains unrepentant, says antitrust judge [nwsource.com]
Rivals Say Microsoft Flouts Antitrust Settlement [washingtonpost.com]
Re:OS X (Score:4, Insightful)
Only if you're a biased 15 year old with a worldview about as wide as a pencil.
Microsoft behave much the same way every other company does in the computing world. The only difference is their actions have a much wider impact than most others (within the computing world).
If you want to get into a global scale and move outside of the computing world, Microsoft are practically a *saint* in comparison to the /real/ "big nasty corporations. Thousands of babies have not died because of a deceptive Microsoft marketing campaign. Wars have not been started because Microsoft wanted to make some more money.
Get some fucking perspective.
Re:OS X (Score:3, Insightful)
That wouldn't excuse a thing, even if it were true. But it's not true. They have behaved shamefully, and to a worse degree than other companies. Perhaps it's only because of the power they wield, but they have behaved in a shameful manner.
"If you want to get into a global scale and move outside of the computing world, Microsoft are practically a *saint* in comparison to the /real/ "big nasty corporations. Thousands
Move along...no news here (Score:5, Insightful)
When are we going to stop acting like each new protocol or application vulnerability is a new thing? Until NX (No Execute) and good input sanitization is ubiquitous, these things will contine to plague the networked world.
Comment removed (Score:4, Insightful)
Re:Move along...no news here (Score:2, Insightful)
Re: (Score:3, Insightful)
Re:Move along...no news here (Score:2)
You, just like everyone else, seem to be confused on what COM, OLE, ActiveX, etc are and how they relate.
COM is simply a CROSS-PLATFORM binary interface standard. It isn't Windows only, either.
OLE is a SET of defined COM interfaces to Link and Embed Objects in documents (and similar). ActiveX was part marketing gimmick and part new version of OLE. This brought forth the mighty IDispatch interface for Automation.
http://www.orafaq.com/glossary/faqglosc.htm#COM [orafaq.com]
Re: (Score:2)
Re:Move along...no news here (Score:3, Insightful)
But data and code are as separate on Windows as they are on any other OS. The problem with Windows has nothing to do with this. The largest problems are:
1. Much of the code was written without concern for security by people who didn't really understand how to make it secure. This lead to things like the RPC serv
Re:Move along...no news here (Score:3, Informative)
These memory segments are separate, but nothing will prevent a CPU from executing valid code in a data segment. Overflow exploits work by diverting execution to code stored in data. The whole point behind NX is to prevent that.
Re:Move along...no news here (Score:3, Interesting)
I find it laughable you blame this UI paradigm on Windows when MacOS and OS/2 were doing it (and advertising it) _years_ beforehand (and the concept itself is even older). Microsoft were 5 - 10 years late to the pervasive drag & drop, sorta-object-oriented, document-centric interface, yet somehow it's their fault ?
For s
Re:Move along...no news here (Score:3, Interesting)
Even these may not be enough. I think it's going to be really hard to get good, ubiquitous input sanitization. Folks will keep generating new and interesting dynamic, networked appplications, vulnerable in new and interesting ways...
A nice tip-of-the-iceberg example are notes on supported Python versions from the Zope team. They recommend Python 2.3.5, not the new 2.4.1, not for sta
Blah! We don't have to worry... (Score:5, Funny)
Re:Blah! We don't have to worry... (Score:2)
Longhorn is not going to be built.
Or at least not shipped in our generation.
cached links (Score:3, Informative)
http://www.eweek.com.nyud.net:8090/article2/0,175
http://www.docuverse.com.nyud.net:8090/blog/donpa
Handy little caching service.
What!? (Score:3, Funny)
Re:What!? (Score:3, Insightful)
Re:What!? (Score:4, Funny)
Re:What!? (Score:2)
(Am I the only one who spotted the two in that dream sequence?)
Re:What!? (Score:2, Informative)
Re:What!? (Score:4, Informative)
What retard decided to put binary data in RSS? Or would allow execution of code linked to by an RSS feed? That is truly the most retarded thing Microsoft could have done with regards to security.
That would be Adam Curry and Dave Winer [ipodder.org], an MTV DJ and a 'net hacker (the guy behind RSS1 and RSS2, IIRC)
Embedding RSS (and, more importantly, the RSS "enclosure" magic that enables podcasting) is right up there with "let's embed the browser right into the OS", but to be fair to MS it wasn't them who decided to put binary data into RSS. Though I bet they're kicking themself right now - "no patents for us!"
Re:What!? (Score:2, Informative)
Re:What!? (Score:2)
Re:What!? (Score:2)
Adam (how's my hair?) Curry, formerly of eMpTyVee fame...
Re:What!? (Score:2)
Not be picky or anything..
1. I have yet to see any vendors applying techniques making the smearing of cement on condoms impossible.
2. Smearing a condom with cement would make it useless, although extremely secure. I think would most people would agree that this is not a description which can be aptly applied to Microsoft.
Re:What!? (Score:4, Funny)
Dude, I am so not having sex with you.
Re:What!? (Score:2)
Dave Winer, for one. He's a lot of things, but he isn't a retard.
"Or would allow execution of code linked to by an RSS feed?"
Now, if this were don
OMG Don Park is Warning! (Score:2, Funny)
Don Park is warning!
Glad to hear what Don Park has to say about this story.
I love Don Park, I read every word he writes!
WHO THE FUCK IS DON PARK?
Common sense (Score:3, Insightful)
RSS is a transmission vector. Data can get onto your system through RSS in the same way it can get onto your system through email, through floppy disks, through web browsing, and so on.
Wherever there's a transmission vector, there's possibility for infection if applications that consume that data are insecure.
So basically, this "possible abuse" warning is simply saying "You know those applications that suck up lots of untrusted data? If they are insecure, you may have problems!" Sorry, but there's nothing new here.
In fact, having it built into Longhorn could reduce the likelihood for security holes. All the RSS-consuming applications use their own home-grown parsing routines right now. Switching to one shared library means there's only one place for vulnerabilities to arise in this respect, and when each vulnerability is fixed, it will be fixed for all the applications at once.
On the other hand, this is Microsoft that is writing the shared library, and we all know how secure their coding is. Internet Explorer hasn't had any meaningful updates for four years, and they are still finding holes in it on a regular basis - which means that every application that embeds Trident (Internet Explorer's rendering engine) are constantly in a state of insecurity. It all comes down to the benefits of shared libraries versus the incompetence of Microsoft.
Re:Common sense (Score:2)
When things start getting messy down the road, and the TPTB want to hide the truth from the masses, what better way than to control RSS feeds.
Re:Common sense (Score:2)
So this is like ordering a #4, instead of having to order a Double-Whopper with Cheese, Large Fries and Large Coke all separately? Sounds simple.
May I take your order?
Yeah, we'll each have one library vulnerability, with one Microsoft Security Bulletin, a Microsoft Knowledge Base article, a BugTraq ID, a CVE
Perhaps this is _why_ msft is interested. (Score:4, Insightful)
Many businesses are still content with Windows2000; and see little reason to upgrade to Longhorn. One of the easiest buttons to push to get a CFO to approve upgrades is finding security holes in the old systems.
As long as Microsoft's business model is so dependant on bleeding it's existing customers until they're dry; I don't think it's really in their interest to stop security holes. Of course they don't want to launch Longhorn with a bunch of old IE holes that are already exploited, so they need to find new areas for this. Slowly adding new holes like RSS; where the holes may not be found for many years is perfect for the upgrade plan.
[yes, it was a troll; but I think there's a truth to the fact that security weeknesses in Windows is a major driver of upgrades]
Mod parent up (Score:4, Interesting)
Microsoft keeps adding stuff to Windows that allows external programs to initiate activity from the network. Windows Messenger Service. Universal Plug and Play. Windows Update. Active Management. AutoPlay. Now, RSS. And they consistently have them turned on by default. This guarantees a large supply of future security holes.
In ten years, they haven't even been able to secure Outlook.
Re:Perhaps this is _why_ msft is interested. (Score:5, Informative)
While it may be nice to think these conspiracy theories that we purposefully put in vulnerabilities, the fact is that at least since 2003 MS has kicked itself into shape and now has security as the top priority. We're actually seeing for the first time security concerns trumping 'user friendliness', which is great. Anyway, we have too many eyes from different groups going through oru designs and actual code for people to make such shady business decisions.
Re:Perhaps this is _why_ msft is interested. (Score:4, Insightful)
That's fine, but the fact remains that Microsoft is adding new attack vectors just as they are incorporating new technologies to deal with security holes (which themselves qualify as potential vulnerabilities). It may be a stereotype, but the culture of "Uncle Bill" really holds sway here, that Microsoft sets itself up as both the cause and solution to security problems and extending RSS to include executable binary code is just as smart as ActiveX in the browser. That is, "not very," for the majority of users, and "definitely not" for the wild-and-wooly Internet environment.
Keep in mind Hanlon's law here. It's not enough to say that Microsoft is feeding a conspiracy by making shady business decisions because I don't think they are. They just can't help making dumb ones. Refer to the allegory of the scorpion and the frog [allaboutfrogs.org] for further illustration.
Re:Perhaps this is _why_ msft is interested. (Score:2)
Refer to the allegory of the scorpion and the frog for further illustration.
You're going to have to explain this to me - are you saying that Microsoft is going to pull down it's userbase deliberately because it hasn't or won't consider it's own future?
Re:Perhaps this is _why_ msft is interested. (Score:3, Insightful)
"We're actually seeing for the first time security concerns trumping 'user friendliness', which is great."
Is it great? As someone with stock in Microsoft, I wonder if Microsoft's newfound obsession with security is a poor strategic decision that really doesn't play to Micrsoft's strenghts. Computer security is really an area of
Re:Perhaps this is _why_ msft is interested. (Score:2)
so there is not really any reason to switch from Win2k if you're happy with it.
Always report RSS abuse (Score:4, Funny)
If you see your RSS feed has some broken links or other irregularities, report it immediately to your sys admin -- even if the RSS explains it away as random line noise or CRC errors. Protecting one's abuser is a sign of continued abuse.
Only YOU can help stop RSS abuse!
Is somebody hungry? (Score:5, Funny)
No wonder MS says they can't remove things like IE from the operating system; They cook it all together!!!
Uh... (Score:4, Insightful)
Re:Uh... (Score:2)
When active X was new people were pointing out the potential vulernabilities as well. MSFT ignored those programmers. by 2003 Active X viruses were common place and being launched Daily.
The perfect slashdot article (Score:5, Insightful)
Re:The perfect slashdot article (Score:2)
It's kinda like ActiveX Vs XUL.
Weapon box versus sandbox and that kind of neafty things
Come on guys! (Score:2)
Why worry? (Score:2)
More seriously, by the time Longhorn actually gets released, the world might have passed RSS by. Either that or there will be several third party applications that will do something similar to what Microsoft hopes to do that will have already been released for XP.
Additionally, even if Microsoft does make an application that is buggy as all hell and hands every virus
Re:Why worry? (Score:3, Insightful)
At home, I do not run any Microsoft software, yet I still have to deal with the consequences of zombied Windows PCs on broadband connections, deluging my email inbox with spam and chewing up valuable network bandwidth. When SQL Slammer made its attack, it completely knocked out one of the ISPs here due to the massive amount of traffic.
Microsoft's insecurity affects everyone - even those who don't use MS sof
Sweet........ (Score:2)
Easier way (Score:4, Funny)
Re:Easier way (Score:3, Insightful)
Re:Easier way (Score:2)
OMG!!! (Score:2, Insightful)
Any binary data - exe, zip, pdf can be enclosed (Score:3, Informative)
RSS enclosures can move anything. Corrupt the underlying XML (or the data it is trying to move in the enclosure) and all your victims will pull it onto their desktops automatically. An analog is having HTML email and using a preview pane. You wouldn't do that, but RSS enables it. Got a PDF that exploits an Adobe vulnerability? Add it as an enclosure. Got an image? Same deal. Got a zip? Go ahead. It's not just the currently trendy podcasting and audio files that pose threats. Worse yet, there are many RSS clients our there, not just a few (unlike browser or email). Many opportunities to find holes. Most clients use IE to render the HTML, so there's also the risk of phishing, embedded script, moveable code and other standard HTML malware. What are the vendors doing to mitigate this? Good question. Anyone from feedburner, say, care to comment?
RSS doesn't stand for Really Scary Security - yet. MSFT just made it a much richer target - let's save the guesswork about the quality of their implementation for when it actually shows up.
Script Kiddie Support API... (Score:2, Troll)
So Let Me Get This Straight (Score:2)
Perhaps a weakness in the codec, sure. Or a weakness in who you decide to download files from. Or even a weakness in your firewall applicaiton allowing sneaky code to talk to outside IP addresses. But a bug in RSS itself?
I must be missing something, because that doesn't add up, unless the goal is to change RSS somehow, simply because Lo
I'll offer a bounty of $1,000 (Score:2)
Uses a priviledge escalation to become administrator and then downloads a new and more secure operating system (e.g. OpenBSD) to replace Longhorn.
MS vs Apple (Score:4, Interesting)
Re:MS vs Apple (Score:2)
Lovely... (Score:2)
Will it come with a new command line interface? No.
Will it come with risk-laden RSS support "integrated" into the OS so that it can't be uninstalled? Yes.
Nice set of priorities there, Microsoft. I hope you aren't too surprised when I prioritize my cash in such a way that I stick with NT 5.x.
Re:Lovely... (Score:2)
--Microsoft VP Bob Muglia on 2005 June 7 [microsoft.com]
Unless Longhorn is also on that 3-5 year timetable, it's heavily implied that the new CLI has officially been axed from Longhorn.
Bonzi! (Score:2)
Um...whatever (Score:2)
Not that big a deal (Score:2)
overflow inducing content (Score:2)
RSS is a potential attack vector (Score:2, Interesting)
I think it is interesting that Microsoft is using a well known protocol in Longhorn, especially one that wasn't developed at Microsoft. If RSS in Longhorn is exploited then the folks their can point back to the open source RSS development community and look for help getting the vector or the exploit addressed.
It will also be intersting to see
Worrmcasting? (Score:2, Funny)
This Is Why a Secure Windows is Impossible (Score:2, Interesting)
"Push" redux (Score:2)
It isn't even available yet (Score:2)
Windows really raises interesting expectations.
Re:Not IF there are vulnerabilities but WHAT they (Score:3, Insightful)
Embrace Extend poorly, an extinguish everything seems to be MSFT's philosophy.
MSFT wants locking so badly it forgets to look for the simple errors.
Re:Not IF there are vulnerabilities but WHAT they (Score:2)
Scenario - iTunes uses RSS to support Podcasting. A hole in iTunes allows a malicious user to attack the user's computer via the RSS feed. What part of that is due to MSFT?
Re:Not IF there are vulnerabilities but WHAT they (Score:2)
Re:Not IF there are vulnerabilities but WHAT they (Score:2)
Re:Not IF there are vulnerabilities but WHAT they (Score:2)
Re:There are no overflows in .NET architecture (Score:2)
Re:Wow. (Score:2)
Re:Wow. (Score:2)