Windows Secrets Newsletter • Issue 58 • 2005-07-28 • Circulation: over 400,000

By Brian Livingston

You wouldn’t think that playing an audio file or a short video clip on your PC could infect your machine with a virus or spyware. But the growing popularity of downloadable files called "podcasts" can do just that.

A podcast is a new form of homegrown radio or television program that’s delivered directly to your PC, iPod, or portable media player.

Apple Computer released new iTunes 4.9 software on June 28 that supports “podcatching.” You subscribe to certain podcasts, and iTunes automatically downloads new episodes when they’re posted.

Not to be outdone, Microsoft has announced that its new Internet Explorer 7.0 browser, due this fall, will support RSS feeds. These feeds can include podcasts as “enclosures,” somewhat similar to the way e-mail messages have attachments.

All of this big-time support is making podcasting hot, hot, hot. Glowing articles have appeared in the mainstream press. PodcastAlley — which lets visitors rate their favorite programs — lists more than 5,000 podcasters who’ve produced 80,000 episodes, all of them free of charge. That’s up from zero as little as one year ago.

To give you some idea of the scorching growth rate, Wikipedia reports that Google showed only 24 hits on the search term podcasts on Sept. 28, 2004. There are 13.7 million hits today.

I’m glad that everyone’s so excited, but all this happy talk has ignored the fact that podcasts threaten to become another automated way hackers can put viruses and spyware onto your computer.

As we all know only too well, Microsoft Word begat macro viruses, Microsoft Outlook begat e-mail viruses, and Internet Explorer begat ActiveX viruses.

After all that, I was hoping the computer industry had learned its lesson and would avoid creating yet another attack vector via podcasting.

Making podcasts a safe and trouble-free technology requires a single principle from Computer Science 101: Software developers must enforce a separation of code and data. Podcatching applications and media players are code. Podcasts must always be treated as data. Podcasts must not be allowed to run scripts on a computer, install executable files, or anything of the sort.

My investigation this week shows a potential threat from podcasts. Fortunately, no reports of malicious podcasts that have spread viruses or spyware "in the wild" have yet been reported. It’s not too late for us to ensure both safety and ease of use in this exciting technology.

With a few simple steps, you can protect yourself. More important, software developers can easily make podcasts safe enough for even children to use without fear.
 
The good news:
podcatchers can protect you

For this special report, I asked the experts at eEye Digital Security to examine podcasts and podcatching apps. Dozens of podcatching programs are listed at iPodder.org, a podcast resource site, but for an overview it was necessary to test only a small sample.

As part of eEye’s research mission (and without any compensation from me), security product manager Steve Manzuik selected two browser-based RSS readers and two client-based apps to test:

• Sage RSS Feeds Sidebar for Firefox
• Diodia RSS Feeds Toolbar for Internet Explorer
• Primetime Podcast Receiver
• Podfeeder

Manzuik then created RSS feeds using XML, the language of RSS feeds. He added enclosures that contained nasty stuff, including .exe files and other executables that you definitely don’t want running on your computer.

His preliminary tests went fairly well:

1. The browsers gave warnings. When presented with executables, such as .exe files, the browser-based podcatchers benefited from both Internet Explorer and Firefox displaying built-in security-warning dialog boxes. (This level of protection requires IE 6.0 SP1 or higher or any version of Firefox.)

2. All apps saved to disk. Rather than simply streaming a potentially harmful file, all four podcatchers first wrote enclosures to disk. This step allows antivirus and antispyware programs to scan the files and quarantine infected ones. (You need both antivirus and antispyware protection, because antivirus programs generally don’t detect spyware.)

3. The players didn’t run executable files. When the podcatchers routed, for example, .exe enclosures to Windows Media Player to play them, nothing happened. The Play button was actually greyed out, because the file wasn’t in one of the media formats the player expects.

These results are promising, but the tests suggest at least two means of infection that podcatcher developers must guard against. First, podcatching apps might download executable files. When run, these executables would play ordinary audio or video files. But, silently, they would install a Trojan horse that would run or download further adware or spyware.

Second, podcatching apps might download "malformed" or hacked multimedia files. Such files would appear normal, bearing a typical audio or video extension. But, when played, the files would exploit security weaknesses in widely-installed media players. The weaknesses would allow the hacked files to quietly install Trojans, with the same effect as in the first case.

In both cases, the victimized PC users might never know that a particular media file had installed anything unusual. When the PCs started running slowly, displaying pop-up ads, or broadcasting spam surreptitiously, the users might not realize the origin of the malware.

The victims, as a result, wouldn’t realize they should unsubscribe from a particular podcast, which had perhaps accepted a money-per-install deal from adware promoters. Even if such users unsubscribed en masse from a popular but adware-financed podcast, millions of Trojan horses (and anything the malware subsequently downloaded) would continue operating until physically rooted out.

FeedStation rejects executables by design

Security researcher Manzuik told me in an interview subsequent to his tests that malicious podcasts with active content could become problems soon.

“If it’s going to happen,” Manziuk said, referring to infectious podcasts, “it’s going to be a [malformed] file format issue, or it’s going to be through one of these applications that doesn’t warn you what the extension is.”

What to do: Your best protection against podcasts that are actually executable files is to get a podcatcher that downloads only known multimedia file types. FeedStation, a free podcatcher designed for users of the FeedDemon and NewsGator RSS readers, limits its downloads to a list of expected extensions, such as .mp3 and .wmv. (For more information, see Microsoft’s description of multimedia file formats.)

Nick Bradbury, the developer of FeedStation and FeedDemon, says this common-sense protective feature is still rare. "When I first looked at all of the podcatching applications, none of them were doing that," he said in an interview. "All of them were downloading any kind of file."

For this reason and others, I recently recommended FeedStation, FeedDemon, and NewsGator in a review of RSS readers published by Datamation on July 19. FeedStation, to its credit, allows users to add permitted podcast file types if any new formats arise. But users are protected by default against rogue files disguised as podcasts.

The potential for spyware-infected podcasts isn’t just theoretical. Bradbury has publicly stated that he’s already rejected financial offers to circulate adware. Other content providers might not be able to resist the temptation.

While not all developers of podcatchers limit downloads to safe media formats, the applications do generally block "active content" that can appear in XML. "Most RSS readers already block scripts in RSS," Bradbury says. By a sort of programmers’ consensus, RSS readers and podcatchers usually do strip out ActiveX, Visual Basic, OnLoad events, and other tricks hackers could use to hide malware inside podcasts. (Developers: The correct way to do this has been described by Simon Willison, Jeremy Smith, and Michael Radwin’s blog.)

The bad news: players can bite you

The weak link in protecting users from podcasts that could carry viruses or spyware, therefore, is generally not the podcatchers but the media players.

The major offerings — Windows Media Player, iTunes, Quicktime, RealNetworks, and WinAmp — have all suffered from serious security holes. These weaknesses have allowed multimedia files to quietly install malware, while the user sees or hears only the expected video or audio clip. Millions of PC users have already been negatively affected by malicious media files that were downloaded manually. It’s important to prevent podcasts from being able to automatically exploit media players in the same way.

In the next issue of the newsletter, to be published on Aug. 11, I’ll show you simple steps you can take to protect yourself against media players that might stab you in the back. It’s not difficult, and it means your PC can download all the podcasts you like with little or no danger.

To send us more information about podcasting, or to send us a tip on any other subject, visit WindowsSecrets.com/contact. You’ll receive a gift certificate for a book, CD, or DVD of your choice if you send us a comment that we print.

Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.