Jim Rapoza at eWeek talks about the potential threat from RSS. He specifically mentions what malicious enclosures could do. This is real close to what I blogged about last December. I lost my old blog and most of the posts. Some have survived in Outlook and there are still a few in Google’s cache. I even checked Archive.org but none of my posts are there either.
I have included the original post below.
–Chris
Technorati Tags: RSS, MP3, exploit, vulnerability
——————————
http://www.infosecpodcast.com/2005/12/07/dangers-of-rssnot-from-blogs/ | Comments
David Sancho from Trend Micro wrote a paper, The Future of Bot Worms, where he predicts what we might see from Bot and worm writers in the future. The section on RSS Feed Hijacking drew a bit of criticism from eWeek’s Larry Seltzer. Sancho proposes that hijacked en.wikipedia.org/wiki/RSS_%28file_format%29″ onclick=”javascript:pageTracker._trackPageview (’/outbound/en.wikipedia.org’);”>RSS feeds might be used as a way to download malware and their updates. He suggests that HTTP scanning will help. Seltzer contends that if you are already protected against malware (up to date Antivirus, patched OS) this is not a substantial threat. Both Sancho and Seltzer seem to be concentrating on RSS being used to update content like blogs and threats from worms. I am concerned about RSS for a different reason.
In addition to updating content RSS is also used to download Podcasts. These podcasts can be in different file formats with mp3 being one of the more popular. There have been vulnerabilities in media players that are triggered by mp3 files, specifically a buffer overflow in Winamp caused by an invalid ID3v2 tag.
Consider this scenario. Through DNS poisoning / hijack an attacker tricks Joe Consumer’s PC into downloading a podcast mp3 (or song) with a specially crafted ID3v2 tag, instead of the usual podcast he listens to. Joe fires up Winamp (that isn’t the latest version) and the special mp3 crashes Winamp and loads malicious code into the buffer. No virus / worms, patched OS does not help.
Could it happen….absolutely. Is it likely to be a widespread seeding method….probably not.
Leave a Reply