17 Mistakes Microsoft Made in the Xbox Security System

security microsoft

The folks at xbox-linux have a great article on the [17 Mistakes Microsoft Made in the Xbox Security System](http://www.xbox- linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System). Following is an excerpt of just one back and forth between hackers and Microsoft Security.

The history of Microsoft’s reactions to the font vulnerability is the perfect lesson of how to do it wrong.

  1. After MechInstaller had been released, Microsoft fixed the buffer vulnerability in the Dashboard and distributed this new version over the Xbox Live network and shipped it with new Xboxes.
  1. For the hackers, this was no major problem: It was possible to downgrade the Dashboard of a new Xbox to the vulnerable version. Just run Linux using a savegame exploit, and “dd” the old image. Some people felt downgrading on new Xboxes was not piracy, because after all, Microsoft upgraded Xbox Live users’ hard disks to the new version without asking.
  1. As the next step, Microsoft blacklisted the old Dashboard in the new kernel. It was impossible to just “dd” an old Dashboard image onto newer Xboxes.
  1. Still no major problem for hackers: The second executable on the hard disk, “xonlinedash”, which is used for Xbox Live configuration, had the same bug, so it was possible to copy the old “xonlinedash” and to rename it to “xboxdash” to make it crash because of the faulty fonts.
  1. Microsoft consequently blacklisted the vulnerable version of “xonlinedash”.
  1. Again, no major problem for hackers: All Xbox Live games come with the “dashupdate” application, which adds Xbox Live functionality to the Dashboard for the first Xboxes which came without it. This update application has the same font bug, and it can be run from hard disk. So it is possible to copy the file from any Xbox Live game DVD, rename it to “xboxdash” and let it crash.
  1. Microsoft could not blacklist this one. Xbox Live enabled games run the update application every time they start, making sure the Xbox has the Xbox Live functionality. Blacklisting “dashupdate” would break these games.

We won.