Microsoft XBOX Console Security Vulnerability

Aargh! I was reading about this story on LinuxFormat about an XBox unchecked vulnerability in the font loader which allows you to execute arbitrary code. The proof of concept of the exploit is a font and set of files which allow you to boot into Linux without hardware mods!

“Free-X had been trying to negotiate with Micro$oft, and was requesting the release of a “signed” Linux boot loader, which would allow Xbox owners to run the open source operating system without any hardware modifications or the exploitation of the console. Micro$oft would not negotiate, so they released the exploit, which unfortunately means that not only can this console now run Linux, Micro$oft’s rival OS, but every version of the console can now also run pirated games out of the box. Ooops.
Another blow to a console that has yet to make a profit for the company”

What is interesting is the rest of the article which goes on to ponder about the very serious security implications of future Microsoft products:

“This actually has serious implications for the credibility of Micro$ofts security in light of recent events.
The XBOX console’s security is in fact a prototype of Palladium, a new “trusted” architecture which Micro$oft developed to help save the music industry from the threat of being reduced to fair pricing by uncontrollable peer to peer networks.
The idea is to have hardware which will only run “trusted”, or “signed”, well more precisely Micro$oft code.”

If Microsoft cannot be trusted to check the validity of all files on it’s own products, there is no hope that they can ever produce a secure product. This isn’t a bug (although it explots a bug) it’s is simply poor design, and poor programming, lack of attention to detail.
All this on top of the second password reset exploit in Passport (see this internet week story and this Seattle Times story about disclosure), just serves to confirm my complete lack of trust in the security of anything Microsoft produce.

Original link from Mark over at Flat8

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.