TOP STORY info you need to make Windows work
Podcasts can infect your PC
By Brian Livingston
You wouldn't think that playing an audio file or a short video clip on your PC could infect your machine with a virus or spyware. But the growing popularity of downloadable files called "podcasts" can do just that.
A podcast is a new form of homegrown radio or television program that's delivered directly to your PC, iPod, or portable media player.
Apple Computer released new iTunes 4.9 software on June 28 that supports "podcatching." You subscribe to certain podcasts, and iTunes automatically downloads new episodes when they're posted.
Not to be outdone, Microsoft has announced that its new Internet Explorer 7.0 browser, due this fall, will support RSS feeds. These feeds can include podcasts as "enclosures," somewhat similar to the way e-mail messages have attachments.
All of this big-time support is making podcasting hot, hot, hot. Glowing articles have appeared in the mainstream press. PodcastAlley which lets visitors rate their favorite programs lists more than 5,000 podcasters who've produced 80,000 episodes, all of them free of charge. That's up from zero as little as one year ago.
To give you some idea of the scorching growth rate, Wikipedia reports that Google showed only 24 hits on the search term podcasts on Sept. 28, 2004. There are 13.7 million hits today.
I'm glad that everyone's so excited, but all this happy talk has ignored the fact that podcasts threaten to become another automated way hackers can put viruses and spyware onto your computer.
As we all know only too well, Microsoft Word begat macro viruses, Microsoft Outlook begat e-mail viruses, and Internet Explorer begat ActiveX viruses.
After all that, I was hoping the computer industry had learned its lesson and would avoid creating yet another attack vector via podcasting.
Making podcasts a safe and trouble-free technology requires a single principle from Computer Science 101: Software developers must enforce a separation of code and data. Podcatching applications and media players are code. Podcasts must always be treated as data. Podcasts must not be allowed to run scripts on a computer, install executable files, or anything of the sort.
My investigation this week shows a potential threat from podcasts. Fortunately, no reports of malicious podcasts that have spread viruses or spyware "in the wild" have yet been reported. It's not too late for us to ensure both safety and ease of use in this exciting technology.
With a few simple steps, you can protect yourself. More important, software developers can easily make podcasts safe enough for even children to use without fear.
The good news:
podcatchers can protect you
For this special report, I asked the experts at eEye Digital Security to examine podcasts and podcatching apps. Dozens of podcatching programs are listed at iPodder.org, a podcast resource site, but for an overview it was necessary to test only a small sample.
As part of eEye's research mission (and without any compensation from me), security product manager Steve Manzuik selected two browser-based RSS readers and two client-based apps to test:
Sage RSS Feeds Sidebar for Firefox
Diodia RSS Feeds Toolbar for Internet Explorer
Primetime Podcast Receiver
Manzuik then created RSS feeds using XML, the language of RSS feeds. He added enclosures that contained nasty stuff, including .exe files and other executables that you definitely don't want running on your computer.
His preliminary tests went fairly well:
Windows Secrets Newsletter
Issue 58 2005.07.28
Podcasts can infect your PC
The good news: podcatchers can protect you
FeedStation rejects executables by design
The bad news: players can bite you
New devices make you truly mobile
Portable hard disk is fingerprint-safe
VOIP adapter offers two phone lines
High-definition video at half the price
INDEX OF REVIEWS
Three reviewers rate high-def camcorders
PC World names Sony camcorders best
CNET picks three HDs For Editors' Choice
American Photo picks best 2005 camcorders
Jabra rises to top of Bluetooth headsets
Samsung, Cowon tie for CNET Editors' Choice
Wired Mag rates Rio top sporty player
iPod uncontested in Ultimate Mobility list
PC World crowns new Plextor DVD
Fuji, Canon compact cameras win in PC Mag
ZASuite 6 adds antispyware function
New uses for "netsh" command
Agp440.sys problems defy easy solutions
Support two or more VPNs per router
Problem with patch 901214 and a fix!
Great tips on setting up a free VPN
WSUS works fine for most SBS users
OVER THE HORIZON
MSJVM patch = good, IE JPEG flaws = bad
MSJVM Removal Tool is still downloadable
MSJVM viruses already in the wild
Microsoft acknowledges patch needed for RDP
New JPEG problems in IE discovered
WINDOWS PATCH WATCH
Can you trust your patch tools?
Step onea little ActiveX
Yes, you can go back to WU
One Care Beta enters the ring
RSS security feeds for the paranoid
Windows 2000 rollup stops Office floppy saves
Exploits in the wild for Firefox and Windows
Exchange 2003 crashes after SP1 installed
MBSA 2.0, XP SP2, and firewall issues
Know thy system
WACKY WEB WEEK
Widgets go wild with new Yahoo backing
Picking the best RSS client
Microsoft unveils Windows Vista details
Michigan, Utah impose dreaded e-mail tax
NEWSLETTER CONTROL PANEL
Windows Secrets home page
How to subscribe
Change your delivery address
Change your preferences
Access past free issues
Access past paid issues
Upgrade to paid version
Search for info (WinFind)
Submit a Windows tip
Get subscription help
How to unsubscribe
CIRCULATION: over 147,000
1. The browsers gave warnings. When presented with executables, such as .exe files, the browser-based podcatchers benefited from both Internet Explorer and Firefox displaying built-in security-warning dialog boxes. (This level of protection requires IE 6.0 SP1 or higher or any version of Firefox.)
2. All apps saved to disk. Rather than simply streaming a potentially harmful file, all four podcatchers first wrote enclosures to disk. This step allows antivirus and antispyware programs to scan the files and quarantine infected ones. (You need both antivirus and antispyware protection, because antivirus programs generally don't detect spyware.)
3. The players didn't run executable files. When the podcatchers routed, for example, .exe enclosures to Windows Media Player to play them, nothing happened. The Play button was actually greyed out, because the file wasn't in one of the media formats the player expects.
These results are promising, but the tests suggest at least two means of infection that podcatcher developers must guard against. First, podcatching apps might download executable files. When run, these executables would play ordinary audio or video files. But, silently, they would install a Trojan horse that would run or download further adware or spyware.
Second, podcatching apps might download "malformed" or hacked multimedia files. Such files would appear normal, bearing a typical audio or video extension. But, when played, the files would exploit security weaknesses in widely-installed media players. The weaknesses would allow the hacked files to quietly install Trojans, with the same effect as in the first case.
In both cases, the victimized PC users might never know that a particular media file had installed anything unusual. When the PCs started running slowly, displaying pop-up ads, or broadcasting spam surreptitiously, the users might not realize the origin of the malware.
The victims, as a result, wouldn't realize they should unsubscribe from a particular podcast, which had perhaps accepted a money-per-install deal from adware promoters. Even if such users unsubscribed en masse from a popular but adware-financed podcast, millions of Trojan horses (and anything the malware subsequently downloaded) would continue operating until physically rooted out.
FeedStation rejects executables by design
Security researcher Manzuik told me in an interview subsequent to his tests that malicious podcasts with active content could become problems soon.
"If it's going to happen," Manziuk said, referring to infectious podcasts, "it's going to be a [malformed] file format issue, or it's going to be through one of these applications that doesn't warn you what the extension is."
What to do: Your best protection against podcasts that are actually executable files is to get a podcatcher that downloads only known multimedia file types. FeedStation, a free podcatcher designed for users of the FeedDemon and NewsGator RSS readers, limits its downloads to a list of expected extensions, such as .mp3 and .wmv. (For more information, see Microsoft's description of multimedia file formats.)
Nick Bradbury, the developer of FeedStation and FeedDemon, says this common-sense protective feature is still rare. "When I first looked at all of the podcatching applications, none of them were doing that," he said in an interview. "All of them were downloading any kind of file."
For this reason and others, I recently recommended FeedStation, FeedDemon, and NewsGator in a review of RSS readers published by Datamation on July 19. FeedStation, to its credit, allows users to add permitted podcast file types if any new formats arise. But users are protected by default against rogue files disguised as podcasts.
The potential for spyware-infected podcasts isn't just theoretical. Bradbury has publicly stated that he's already rejected financial offers to circulate adware. Other content providers might not be able to resist the temptation.
While not all developers of podcatchers limit downloads to safe media formats, the applications do generally block "active content" that can appear in XML. "Most RSS readers already block scripts in RSS," Bradbury says. By a sort of programmers' consensus, RSS readers and podcatchers usually do strip out ActiveX, Visual Basic, OnLoad events, and other tricks hackers could use to hide malware inside podcasts. (Developers: The correct way to do this has been described by Simon Willison, Jeremy Smith, and Michael Radwin's blog.)
The bad news: players can bite you
The weak link in protecting users from podcasts that could carry viruses or spyware, therefore, is generally not the podcatchers but the media players.
The major offerings Windows Media Player, iTunes, Quicktime, RealNetworks, and WinAmp have all suffered from serious security holes. These weaknesses have allowed multimedia files to quietly install malware, while the user sees or hears only the expected video or audio clip. Millions of PC users have already been negatively affected by malicious media files that were downloaded manually. It's important to prevent podcasts from being able to automatically exploit media players in the same way.
In the next issue of the newsletter, to be published on Aug. 11, I'll show you simple steps you can take to protect yourself against media players that might stab you in the back. It's not difficult, and it means your PC can download all the podcasts you like with little or no danger.
To send us more information about podcasting, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You'll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.
Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.http://www.windowssecrets.com/comp/050728/
(In accordance with Title 17 U.S.C. Section 107, this material is being posted without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes.)