Microsoft fixing Bing bug that helped spammers
Microsoft on Wednesday said it is fixing a bug in Bing that allowed spammers to bypass spam filters and distribute malicious links.
Researchers at Webroot Software discovered a spam campaign earlier this week that used the search engine's own redirection mechanism and a link-shrinking technique to send people to spam Web pages, according to a post on the Webroot threat blog.
The problem is with how Bing formats links in RSS feeds. The redirect from Bing to the spam site is not obfuscated, allowing scammers to append anything to the end of the Bing redirect URL and thus trick spam filters, said Andrew Brandt, a threat researcher at Webroot.
In the specific case, Webroot examined an RSS feed in Bing with a link that bounced through MySpace's link shrinker and landed on the spam Web page that looked like a news site customized to the user's geolocation and which offered vague work-from-home jobs.
Asked for comment, a Microsoft representative said late on Wednesday: "We were testing new features to improve the search experience for our customers, and during our testing, we found a bug that was causing this issue. We are taking immediate action and expect a fix in the next 48 hours."
Meanwhile, a MySpace representative had this to say when asked for comment: "The security of our users is a top priority for MySpace. With thousands of link-shortening systems available on the Internet, similar to MySpace's MSPLinks, it is critical that sites like Bing employ security measures such as the prevention of URL redirection."
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
They close one bug and two more appear. What's needed are deeper architectural changes which no one wants to make.
Are you looking to start one?
Now I don't give a tinker darn if there is a way to fix this outside of removal, Customers DO NOT expect to have to tweak sotware when they install it, they expect it to work without issue.
And while I am ranting how many more out there beside the 100 or so I have talked to at the local national music store can no longer use the sound systems on their PC's after MicroSoft forced mandatory updates from the last terrible Tuesday?? I have yet to find anyway to fix this. And to date is has cost me over $2500 in Comeback freebies!!!!!!
Hey MicroCRAP can ya'll smell the new class action lawsuit from Bad Software? I can and my lawyers are REAL HOOOOONNNNGRY!!!! SKIPPY!!!!
Anywho, tried Bing again versus Google...... Bing = FAIL again.
In fact your beloved Apple is notorious for not fixing these kinds of problems. For example this one was reported to Apple back in May and yet is still broken:
http://www.marsmenschen.com/content/apple-website-simple-xss
(ironically it's on Apple's dev community website... I guess Apple just doesn't care about security or they would have fixed it).
It is always refreshing to know we can count on you for making ignorant and petty comments focused on your hatred for all things Microsoft.
Now then, would you like to try again with something *useful* to say or would you rather continue your uncreative prattle?
I don't hate everything MS. I have one of their trackballs (2 actually) and I love them."
You should go back to playing with your balls then... :-D
>> Wow! Imagine a software product/service from MS that has security issues.
Name one company whose products and services don't have security issues. Any sufficiently complex system will have bugs, and bugs often manifest themselves as security exploits.
Microsoft has done alot to eliminate them over the years and has less than others, however the bad guys still only target microsoft.
---------------------------------------------------------------------
Oh wow, you apologists can't really believe that garbage, can you? What did Ballmer feed you to make you so brain-washed and gullible?
The "bad guys" are lazy and target the easy targets. Guess who those "easy targets" are. Hint: review your comment again. Think about it for just a moment (I know it's hard, but trust me it won't hurt you), why spend months playing around with a handful of vulnerabilities in the hopes to make an exploit out of them when you can count on M$ making exploits easy?
Have fun.... don't get any on ya ;)
Not kidding about Bing for search though. Tried it a few times, and it's lame. Nothing about Apple, MS, Yahoo! or whatever. Google left it in the dust in my tests.
Enjoy your big day....Cheers!
- by jcomputm October 21, 2009 9:27 PM PDT
- Give Bing a chance, Microsoft has just been working on some other projects such as Microsoft Courier and Security Essentials.
- Like this Reply to this comment
-
-
- by baconstang October 21, 2009 9:40 PM PDT
- And finding Sidekick data.....
- Like this
-
- by Dalkorian October 22, 2009 12:09 PM PDT
- The nice thing about being a slave is you don't have to think or take responsibility for anything, you can just blame it all on your master. Thinking people find bung and the whole "M$ filtered manure" idea offensive.
- Like this
-
(24 Comments)