Home & Office

Old hack haunts WebTV

Macro code in email signatures flood WebTV newsgroups with forged messages
Written by Robert Lemos, Contributor

An HTML hack -- which had previously allowed attackers to command users' machines to send forged email -- caused renewed headaches for Internet-over-TV provider WebTV Networks this past weekend.

The new spin on an old security hole allows cyber vandals to use an embedded URL in email and newsgroup postings that cause subscribers to execute a WebTV-specific macro program. In this case, the macros caused the offending URL to be copied into the user's signature file, and thus be appended to all future emails and newsgroup postings. It also sends an email to several specified newsgroups.

The result last weekend was that unsuspecting users caused an avalanche of postings to several WebTV newsgroups, which buried all normal postings.

WebTV acknowledged the problem, pointing its finger at an old bug that it thought that it had fixed. The bug allows WebTV's proprietary macros, which are embedded in messages, to execute as "trusted" applications.

"Modifying the signature and posting the message without the user's knowledge are two things that this bug allows," said Jeff Allen, operations engineer for WebTV Networks. "When you put them together, you get something like this."

The problem only affected WebTV users with the WebTV Classic device and the service's internal newsgroups. By the weekend, 14 users had complained to WebTV. Some reports called the exploit a "virus", despite WebTV's assurances that it wasn't.

According to a WebTV's Allen, the embedded URL hidden in the subscribers' signatures calls an external homepage that contains the HTML macro program. Because of the WebTV bug, the program runs on the user's WebTV device with "trusted" privilege, allowing it to execute any valid commands.

WebTV has not taken the online vandalism sitting down. "Clearly, this is a pretty embarrassing bug, and we want to get it fixed as soon as possible," said Allen.

While some newsgroups had been flooded last week, Allen and others have succeeded in shutting down the external pages that contained the embedded code, thus stopping the exploit at the source. The company's network administrators are monitoring the service's newsgroups 24 hours a day to minimise the effect of any new uses of the exploit. In addition, WebTV has promised to patch the network hole by the end of this week.

WebTV has little patience with any "wannabee hackers" who attempt to use the code, said Allen. Anyone caught using the bug to cause a WebTV user to send messages without their knowledge will be kicked off the system. The company has not yet tried to find out who began spreading the malicious code. "We have a zero tolerance policy," he said. "We were able to cancel at least a few people for using code like this. It has worked pretty well. The number of people has basically gone down to zero."

Have you see ZDNet's updated TOPIC Hackers area, complete with downloads, and all the latest hacking news?

What do you think? Tell the Mailroom and read what others have to say.

Editorial standards