Podcasts can infect your PC

Podcasts can infect your PC

By Brian Livingston

You wouldn’t think that playing an audio file or a short video clip on your PC could infect your machine with a virus or spyware. But the growing popularity of downloadable files called "podcasts" can do just that.

A podcast is a new form of homegrown radio or television program that’s delivered directly to your PC, iPod, or portable media player.

Apple Computer released new iTunes 4.9 software on June 28 that supports “podcatching.” You subscribe to certain podcasts, and iTunes automatically downloads new episodes when they’re posted.

Not to be outdone, Microsoft has announced that its new Internet Explorer 7.0 browser, due this fall, will support RSS feeds. These feeds can include podcasts as “enclosures,” somewhat similar to the way e-mail messages have attachments.

All of this big-time support is making podcasting hot, hot, hot. Glowing articles have appeared in the mainstream press. PodcastAlley — which lets visitors rate their favorite programs — lists more than 5,000 podcasters who’ve produced 80,000 episodes, all of them free of charge. That’s up from zero as little as one year ago.

To give you some idea of the scorching growth rate, Wikipedia reports that Google showed only 24 hits on the search term podcasts on Sept. 28, 2004. There are 13.7 million hits today.

I’m glad that everyone’s so excited, but all this happy talk has ignored the fact that podcasts threaten to become another automated way hackers can put viruses and spyware onto your computer.

As we all know only too well, Microsoft Word begat macro viruses, Microsoft Outlook begat e-mail viruses, and Internet Explorer begat ActiveX viruses.

After all that, I was hoping the computer industry had learned its lesson and would avoid creating yet another attack vector via podcasting.

Making podcasts a safe and trouble-free technology requires a single principle from Computer Science 101: Software developers must enforce a separation of code and data. Podcatching applications and media players are code. Podcasts must always be treated as data. Podcasts must not be allowed to run scripts on a computer, install executable files, or anything of the sort.

My investigation this week shows a potential threat from podcasts. Fortunately, no reports of malicious podcasts that have spread viruses or spyware "in the wild" have yet been reported. It’s not too late for us to ensure both safety and ease of use in this exciting technology.

With a few simple steps, you can protect yourself. More important, software developers can easily make podcasts safe enough for even children to use without fear.
 
The good news:
podcatchers can protect you

For this special report, I asked the experts at eEye Digital Security to examine podcasts and podcatching apps. Dozens of podcatching programs are listed at iPodder.org, a podcast resource site, but for an overview it was necessary to test only a small sample.

As part of eEye’s research mission (and without any compensation from me), security product manager Steve Manzuik selected two browser-based RSS readers and two client-based apps to test:

• Sage RSS Feeds Sidebar for Firefox
• Diodia RSS Feeds Toolbar for Internet Explorer
• Primetime Podcast Receiver
• Podfeeder

Manzuik then created RSS feeds using XML, the language of RSS feeds. He added enclosures that contained nasty stuff, including .exe files and other executables that you definitely don’t want running on your computer.

His preliminary tests went fairly well:

1. The browsers gave warnings. When presented with executables, such as .exe files, the browser-based podcatchers benefited from both Internet Explorer and Firefox displaying built-in security-warning dialog boxes. (This level of protection requires IE 6.0 SP1 or higher or any version of Firefox.)

2. All apps saved to disk. Rather than simply streaming a potentially harmful file, all four podcatchers first wrote enclosures to disk. This step allows antivirus and antispyware programs to scan the files and quarantine infected ones. (You need both antivirus and antispyware protection, because antivirus programs generally don’t detect spyware.)

3. The players didn’t run executable files. When the podcatchers routed, for example, .exe enclosures to Windows Media Player to play them, nothing happened. The Play button was actually greyed out, because the file wasn’t in one of the media formats the player expects.

These results are promising, but the tests suggest at least two means of infection that podcatcher developers must guard against. First, podcatching apps might download executable files. When run, these executables would play ordinary audio or video files. But, silently, they would install a Trojan horse that would run or download further adware or spyware.

Second, podcatching apps might download "malformed" or hacked multimedia files. Such files would appear normal, bearing a typical audio or video extension. But, when played, the files would exploit security weaknesses in widely-installed media players. The weaknesses would allow the hacked files to quietly install Trojans, with the same effect as in the first case.

In both cases, the victimized PC users might never know that a particular media file had installed anything unusual. When the PCs started running slowly, displaying pop-up ads, or broadcasting spam surreptitiously, the users might not realize the origin of the malware.

The victims, as a result, wouldn’t realize they should unsubscribe from a particular podcast, which had perhaps accepted a money-per-install deal from adware promoters. Even if such users unsubscribed en masse from a popular but adware-financed podcast, millions of Trojan horses (and anything the malware subsequently downloaded) would continue operating until physically rooted out.

FeedStation rejects executables by design

Security researcher Manzuik told me in an interview subsequent to his tests that malicious podcasts with active content could become problems soon.

“If it’s going to happen,” Manziuk said, referring to infectious podcasts, “it’s going to be a [malformed] file format issue, or it’s going to be through one of these applications that doesn’t warn you what the extension is.”

What to do: Your best protection against podcasts that are actually executable files is to get a podcatcher that downloads only known multimedia file types. FeedStation, a free podcatcher designed for users of the FeedDemon and NewsGator RSS readers, limits its downloads to a list of expected extensions, such as .mp3 and .wmv. (For more information, see Microsoft’s description of multimedia file formats.)

Nick Bradbury, the developer of FeedStation and FeedDemon, says this common-sense protective feature is still rare. "When I first looked at all of the podcatching applications, none of them were doing that," he said in an interview. "All of them were downloading any kind of file."

For this reason and others, I recently recommended FeedStation, FeedDemon, and NewsGator in a review of RSS readers published by Datamation on July 19. FeedStation, to its credit, allows users to add permitted podcast file types if any new formats arise. But users are protected by default against rogue files disguised as podcasts.

The potential for spyware-infected podcasts isn’t just theoretical. Bradbury has publicly stated that he’s already rejected financial offers to circulate adware. Other content providers might not be able to resist the temptation.

While not all developers of podcatchers limit downloads to safe media formats, the applications do generally block "active content" that can appear in XML. "Most RSS readers already block scripts in RSS," Bradbury says. By a sort of programmers’ consensus, RSS readers and podcatchers usually do strip out ActiveX, Visual Basic, OnLoad events, and other tricks hackers could use to hide malware inside podcasts. (Developers: The correct way to do this has been described by Simon Willison, Jeremy Smith, and Michael Radwin’s blog.)

The bad news: players can bite you

The weak link in protecting users from podcasts that could carry viruses or spyware, therefore, is generally not the podcatchers but the media players.

The major offerings — Windows Media Player, iTunes, Quicktime, RealNetworks, and WinAmp — have all suffered from serious security holes. These weaknesses have allowed multimedia files to quietly install malware, while the user sees or hears only the expected video or audio clip. Millions of PC users have already been negatively affected by malicious media files that were downloaded manually. It’s important to prevent podcasts from being able to automatically exploit media players in the same way.

In the next issue of the newsletter, to be published on Aug. 11, I’ll show you simple steps you can take to protect yourself against media players that might stab you in the back. It’s not difficult, and it means your PC can download all the podcasts you like with little or no danger.

To send us more information about podcasting, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Take control of your PC, with readers' help

By Brian Livingston

Readers have submitted a powerful collection o’ tips this week, along with a few stimulating questions that may lead to yet more information.

Like an itch that begs to be scratched, every time I print a tip it results in subscribers sending in two more. Here we go…

New uses for ‘netsh’ command

I printed in the July 14, 2005, newsletter a tip from Mark Palmer about netsh. This is a new command in both Windows XP SP2 and Windows Server 2003 SP1. It offers extensive command-line options to fix broken Internet connections and other nightmares. (For details, search for netsh in Microsoft’s docs for XP and 2003.)

Reader Chris Miller submits another helpful example of this powerful tool:

• “netsh is a very useful utility, if you’re the sort that doesn’t object to typing long strings of (apparent) gibberish. I recently used it to solve a problem with my ad hoc WLAN.

  “My primary PC (Windows XP Home) connects to the Internet using a USB DSL modem. It’s linked by Ethernet to three other PCs that access the Internet by means of Microsoft ICS. This all works in a very simple and straightforward manner (thanks, Bill).

  “I wanted to link my wife’s Windows 2000 PC to this setup so she could also enjoy high-speed access to the Web. The easiest way to do this (I thought) would be to buy two WLAN PCI cards and use an ad-hoc network to link the two systems. The WLAN setup was (again) simple and straightforward, but ICS would not play ball. IP worked fine between the two WLAN systems, but from the Windows 2000 machine could get no further.

  “After (a lot of) searching, I found the magic command string:

  netsh bridge set adapter 1 forcecompatmode=enable

  "This forces the WLAN adapter (on the ICS gateway) into promiscuous mode so that MAC address spoofing can take place. Most Ethernet cards can do this by default, but most (all?) WLAN cards do not.

  “Regarding WLAN setups, I haven’t seen much discussion about the differences between structured (using a WLAN access point) and ad hoc (which doesn’t use an access point) modes. As I understand it, ad hoc is similar to Ethernet. If it can’t detect a transmission, it feels free to blast its message into the ether and hope it arrives safely. (Unlike a wired network, collision detection is imperfect, because device A can’t always detect traffic between device B [in range] and device C [out of range of A but within range of B]. So a more complex strategy of collision avoidance is required.)

  “Structured mode is much more like Token Ring (of sainted memory). The access point tells each device when it can transmit and acts as a repeater for all messages, since device A and B may both be within range of the access point, but not of each other. The net result is that, for a simple network, structured mode results in almost twice the traffic. Or am I missing something?”

Anyone have anything we can add to Chris’s astute analysis of the situation?

Agp440.sys problems defy easy solutions

Reader Gil Hennon has an in-depth perspective on a Windows boot problem that has a history going back literally at least four years. He’s done a lot more research into it than I ever have, so I’ll let him lay it all out for you:

• “I haven’t seen anything in the newsletter about PCs that freeze during the boot process, but have encountered the problem lately. Safe Mode and other debugging startup methods are useless.

  “Most everyone is calling it the agp440.sys hangup problem, although it seems that that file is not really the problem but just a symptom.

  “When I had to research why my PC stopped booting, I found that this has been going on for many years, since about 2001. I have used several ‘fixes’ to get going again, but the problem keeps returning.

  “Here are some of my notes on where I got help:

  support.microsoft.com/default.aspx?scid=kb;en-us;324764

  "This article from Microsoft recommends disabling agp440.sys. Not a good solution. Doesn’t always work. Locks PC with an AGP card in 16-color VGA mode when it does.

  ftp.sandpile.org/post/msgs/20002583.htm

  "This discussion thread on agp440.sys lockup has been going on since 2002. Some good things to try here, but no single guaranteed solution.

  www.computing.net/windows2000/wwwboard/forum/21602.html

  "Another useful forum, which started from a message in November 2001.

  www.keysolutions.com/blogs/kenyee.nsf/d6plinks/KKYE-6DZHBB

  "Suspects that a Windows Update is the root cause for PCs not booting.

  “I would like to see an article in the newsletter about this problem, especially one that determines what really works on the problem, and what is merely a temporary fix.

  “By the way, I currently put the most faith in solutions that deal with power management, ACPI, APM, and the big mess of differences in hal.dll files.

  “I really enjoy the newsletter and appreciate all of your good information and recommendations. This is just one serious problem I have never seen you attack.”

Other people are obviously experiencing this problem, but if a fix hasn’t been found in all this time, are we really dealing with a single issue here? Or are there many hangups, which simply look related? I’d be grateful for any additional diagnoses my readers can provide.

Support two or more VPNs per router

Rich Kole, an MIS administrator with a multinational cable equipment company, points out a limitation of some routers I’ve written about. He prefers routers that permit multiple simultaneous VPN tunnels:

• “One feature of SOHO cable/DSL routers that is rarely mentioned is the ability to support multiple IPSec VPN connections. We have several branch offices with 3-4 people, and they connect to our network via Symantec’s Enterprise VPN software client.

  "Linksys and Netgear routers will only support one IPSec VPN tunnel. The only router that I’ve been able to find that supports multiple VPN sessions is the D-Link DI-604. We have a few guys who work out of their homes, and the Netgear and Linksys products work just fine for a single user.

  “I also tried a Linksys VPN endpoint, but it turns out that Best Software’s MAS200 accounting/order-entry system does not play well on a VPN endpoint (a known issue with them). We have never had a compatibility issue with the [Symantec] software client, so it looks like we will be sticking with it.

  “I haven’t shopped the more expensive routers, as it is difficult to justify replacing a cheap router and a software firewall, particularly at multiple locations.

  “You might want to take this feature into consideration in your evaluation of routers.”

In the Security Baseline and elsewhere, I primarily rely on the accumulated weight of reviews by multiple trusted reviewers in deciding what products to list. In the ratings, I’m primarily looking for the most secure products, but every company will have different needs that might cause it to select a competing product.

In addition, many magazine’s reviews tilt toward home and small-business users, since there are a lot more of them than there are large enterprises. Big companies are presumed to be able to afford their own evaluation procedures.

If you need multiple VPNs out of a single router, by all means get a product that handles that requirement.

Problem with patch 901214 — and a fix!

It really makes my day when a reader writes in with a knotty problem, and then writes again with the solution before I’ve had a chance to even start thinking about it! That’s the gift I was given this week by Sav Mellor, an independent consultant:

• “I have my Windows XP SP2 auto-update set to “Download and notify.” I got the notification yesterday (12 July) that three critical updates were available, and one advisory (.NET, which I don’t want).

  "So I read the descriptions and applied the three critical patches. KB903235 (IE 5 & 6) and KB890830 (malware remover) were OK (this by a process of trial and error), but KB901214 caused a problem that may not be immediately obvious.

  "This patch required a reboot, and after rebooting I re-ran Windows Update (habit, just to check that there is nothing outstanding). But on clicking the “Custom” button to check for updates, I got the message, “The web page is having trouble and cannot display,” and an error number 0x80072F76. (This number is correct, I think — my scribble was a bit indecipherable!)

  “I manually backed off KB901214 and the Windows Update problem went away. I have not re-applied this patch.

  “Looking at the Windows Update newsgroup, there is a string of postings relating to what appears to be this problem. You might want to check it out for your patch review.

  “My machine is a Samsung Centrino laptop, running as an ICS client of a Windows ME ICS server (an ancient Pentium 1 – just a gateway/firewall, really) to a cable broadband link. The laptop runs XP Home, SP2, fully patched (except KB901214!) and is running Windows Firewall with Symantec Corporate Anti-Virus, Microsoft AntiSpyware and Ad-Aware SE, all fully up to date.”

There certainly is a lot of chatter going on about this out there. Patch 901214 relates to Microsoft security bulletin MS05-036, which was released on July 12 to fix the so-called Color Management Module vulnerability. Microsoft added text to its bulletin on July 20, including this in the SMS section: “Some security updates require administrative rights following a restart of the system.” You should re-read the revised bulletin if you experience a problem.

A search in the newsgroups discussing that patch reveals eight or more significant threads. Fortunately, Sav says a solution is at hand:

• “Having had a little more time to experiment, I’ve discovered that in my case, if I apply KB901214 by itself and restart the machine immediately afterwards, it installs successfully. Thought I’d better update you on my situation.”

I’m always glad to help you resolve a problem you no longer have, Sav!

Great tips on setting up a free VPN

My lead article in the July 14, 2005, newsletter announced a startup company offering a free Wi-Fi security and authentication service for small businesses. Reader Scott Beatty noticed that the service uses OpenVPN, a free, open-source application. Coincidentally, Scott has written a detailed tip sheet on how to get the most out of this software:

• “That’s interesting news about WiTopia and PersonalVPN. FYI: I have an article on my Web site on how to set up OpenVPN on Windows:

  www.sbeattyconsulting.com/blog/index.php?p=3

  “This article is referenced from the OpenVPN site:

  openvpn.net/articles.html

  “I enjoy and benefit from each of your newsletters.”

I enjoy and benefit from each of the tips sent in by people like you, Scott!

WSUS works fine for most SBS users

Susan Bradley’s column in the July 14, 2005, newsletter contained an item saying users of OEM versions of Small Business Server 2003, such as those pre-installed by HP and Dell, were having problems installing Microsoft’s new Windows Software Update Services. The headline left out the "OEM" part, though. Reader Own Williams sets the record straight:

• “The body of this article qualifies the headline by noting the problems are with OEM installs of SBS. I am concerned, though, that readers will skim the headline and avoid WSUS on all SBS 2003 servers.

  "I have installed WSUS on three SBS 2003 servers that I installed myself (not OEM). After applying a couple of minor tweaks, which are documented by Microsoft, I can tell you it works fine on all three. So there does not appear to be any inherent problem with WSUS on SBS 2003.”

My thanks to all my readers who submitted tips this week. Readers Miller, Hennon, Kole, Mellor, Beatty, and Williams will receive gift certficates for a book, CD, or DVD of their choice for sending in tips I printed.

Can you trust your patch tools?

By Susan Bradley

I go to Windows Update or Microsoft Update and think nothing of downloading bits and pieces of what’s there. But many folks would really like to know what is happening to their machines.

Thanks to a Patch Watch tipster, I’m looking at the process of patching in a new light. When I go to Microsoft Update, I simply follow the instructions on the screen. For many folks, however, this monthly process of trusting what is happening to their machines was sorely tested when the switch from Windows Update to Microsoft Update occurred. I usually click Next when told to do so, but other admins want details of the process that’s about to occur.

Step one — a little ActiveX

The first thing you notice when you go to Windows Update is that, in the right-hand corner it advises that you can change to the newer Microsoft Update. When you click to do so, the first thing that occurs is some ActiveX controls are installed to ensure that will now use Microsoft Update. Once you’ve made the switch, it doesn’t mean that you can’t go back to Windows Update. Knowledge Base article 901037 points out that, if you have issues with Microsoft Update, you’ll also have problems with Windows Update. Troubleshoot the issue, rather than assuming that rolling back to Windows Update will fix it.

If you’re using Microsoft Update, you can go online to get troubleshooting aids. Better yet, click Get Help and Support inside the Help program and then click Try Solving your Problem with the Troubleshooter.

If you’re still on Windows Update, you can visit the older troubleshooting aids for help.

Most of the time, I’ve seen update issues resolved by reregistering DLLs, as described in KB 836926, or renaming the Catroot2 folder, as described in KB 822798.

Yes, you can go back to WU

The next concern that my tipster has is that he would be able to undo everything and put his machine back the way it was. The answer is “Yes.” By following the information in KB 901037, you can switch yourself back.

However, I recommend that you stay on Microsoft Update rather than enduring the hassle of having to use both Windows Update and Office Update to upgrade Microsoft software. The only issue I have — and I can understand readers’ concerns about this — is that the Help and Support section makes it sound as though Microsoft Update is a beta product.

Fortunately, the “beta support” discussed therein is the ability to be offered beta software. Click on “Change Settings” and you can choose to be offered beta software.

One Care Beta enters the ring

While Microsoft AntiSpyware extended its beta through December of 2005, word is that One Care, Microsoft’s consumer “one-stop security site” for the home marketplace, has also entered beta testing.

To join the beta (which requires at this writing that you be a U.S. resident), follow Microsoft’s instructions, go to the beta Web site, and nominate yourself with the phrase OneCare as the guest ID.

RSS security feeds for the paranoid

Sometimes I take it for granted that folks know about RSS feeds. RSS stands for Really Simple Syndication. It’s something I use to get information directly to my desktop, or to be exact, to the Newsgator program inside my Outlook application.

If you’re into a bit of security and paranoia, shown below are some of the Web sites and blogs with what I consider to be my must-have RSS feeds. Browse to each site, find the orange XML or RSS icon, and right-click it to subscribe in your favorite RSS reader to have the information pushed to you.

• FSecure’s weblog
• Spyware Warrior
• Microsoft Security Resource Center Blog
• Harry Waldron’s Security MVP blog
• Donna’s Security Flash
• Security Awareness Blog
• Steve Dodson’s blog, which covers Microsoft AntiSpyware
• Steve Lamb on Security

That’s a mere scratch on the surface of the RSS feeds I have in my reader. What about you? Do you have any favorites that keep you up to date and paranoid?

That’s a mere scratch on the surface of the RSS feeds I have in my reader. What about you? Do you have any favorites that keep you up to date and paranoid?

Windows 2000 rollup stops Office floppy saves

I’ll be the first to admit that I haven’t used a floppy disk in ages and have a Tablet PC that doesn’t even have a floppy disk. But the fact is they are still used.

Unfortunately for those who installed Update Rollup 1 for Windows 2000 Service Pack 4, they quickly found that they could no longer save Office files to floppy disks. KB 904368, which is discussed in the PCReview online technical help site, solves that problem.

You’ll have to call Microsoft Product Support Services for this, but it will be a free call for the hotfix.

You’ll be warned that this hotfix is not regression tested. You should thus install it in a test setting first and ensure you have a good backup. Having said that, I can personally attest that I’ve never been adversely affected by hotfixes. Service packs and rollup patches… well, that’s another story.

In other news, Sophos reports that its Antivirus for Windows version 5 causes computers to take up to 15 minutes to log on to a network after Update Rollup 1 is installed. See the company’s article 3287.

Also see Mary Jo Foley’s wrapup of problems with the Windows 2000 rollup.

Exploits in the wild for Firefox and Windows

If you haven’t patched both Firefox and Windows lately, you should seriously consider that this is the time to do it.

In the Firefox camp, several security issues have been patched with upgrades to 1.0.5, followed by 1.0.6 upgrades. We recently saw Kohei Yoshino publish exploit sample code for a Firefox 1.0.4 weakness, as well as exploits for other bugs, which are all fixed if you upgrade to 1.0.6.

An exploit that takes advantage of the Greasemonkey add-in for Fiefox, which Brian described in the July 21 newsletter update, has also been published.

Be sure to upgrade to 1.0.6, which has stability fixes that were needed after the 1.0.5 version of Firefox.

In the Windows world, an exploit for the Color Management module, which is fixed by MS05-036 (901214)  has been published to the Web.

Also, the Incidents.org Web site is reporting a spike in bad guys scanning ports 1433 and 2100 for Oracle vulnerabilities. All software needs to be patched, but Oracle even needs to patch the patches lately and has been exceedingly late in providing patches to some products, according to eWeek Magazine.

Exchange 2003 crashes after SP1 installed

Spotted an interesting Knowledge Base article that talks about the Exchange Store crashing after Service Pack 1 is installed. KB 899585 talks about a patch you can get if your Exchange is repeatedly crashing on a malformed e-mail.

Normally, the word “malformed” has “malicious intent” attached to it in my mind. So I was a bit surprised to find this merely a hotfix and not raised to a higher status.

Nevertheless, if you’re seeing this issue, call product support. Hotfixes are always free.

MBSA 2.0, XP SP2, and firewall issues

You may be like me, operating your Windows XP SP2 machines with the firewall turned on “inside” the network. If so, in order to remotely scan the attached workstations using the new Microsoft Baseline Security Analyzer, you’ll need to either do a workaround or get a free hotfix to patch the DCOM protocol.

KB 895200 talks about this patch. In an MBSA question and answer document, this hotfix is discussed (along with other workarounds) in the section entitiled “How can I scan a computer protected by a firewall?”. You can download the new MBSA from Microsoft. Keep in mind, however, that for networks with mixtures of operating systems and Office suites, you’ll probably want to keep both the old version and the new version, since they scan different things, as described in KB 895660.

Know thy system

A recent thread on a security discussion relates to an occurrence in my office. This involves icons on a desktop, which the user didn’t recall putting there. It reminds me of a phrase used often in security: “Know Thy System.”

If you use a computer for a while, you know when things just don’t seem right or when icons show up that weren’t there before. Make sure you have Brian’s baseline in place. Then go with your gut feelings and know when things “just don’t feel right.”

Susan Bradley is a Small Business Server and Security MVP — Most Valuable Professional — a title bestowed by Microsoft on independent experts who do not work for the company. Known as the “SBS Diva” for her extensive command of the bundled version of Windows Server 2003, she’s a partner in a CPA firm and spends her days cajoling vendors into coding more securely.

Widgets go wild with new Yahoo backing