iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Microsoft Responds On RSS Concerns
Search:
[ insider_reports_insider ]

Microsoft Responds On RSS Concerns



David Utter
Staff Writer
2006-08-09

SecurityProNews: Insider Reports Insider Reports RSS Feed


After a Black Hat presentation called the potential of RSS feeds as an attack vector into question, Microsoft described steps they have taken to mitigate this.

Microsoft Responds On RSS Concerns
Microsoft Responds On RSS Concerns

RSS offers some distinct advantages over email. Being an opt-in only method, it eliminates the potential for external spammers to jam up one's feed reader with useless messages, as happens with email inboxes.

Should a feed be compromised, as was discussed at Black Hat in a session on RSS security, the attacker could hit thousand of subscribers with a malicious payload almost instantly.

That presentation also picked on web-based RSS readers, citing their vulnerability to SQL injection, command execution, and DoS attacks. These are scenarios that Microsoft wants to eliminate before they become a reality.

In the Team RSS Blog, Walter vonKoch of Microsoft wrote of how the company has considered potential issues in IE7 and the Windows RSS Platform. They have worked on ways to thwart possible threats from scripts in feeds.

The RSS Platform performs a sanitization process that removes script from HTML fields in a feed. The sanitized form remains persistent in the RSS Store, so when other applications like IE7 access it, they will not be exposed to threats present in the original form.

In IE7, Feed View runs in the Restricted Zone when displaying feeds, vonKoch wrote. This takes place no matter where a feed originated. Script is disabled in the Restricted Zone, as are URL Actions that could be triggered by active content.

Said vonKoch: We designed and implemented the RSS features using the principles of the Secure Development Lifecycle as embraced by Microsoft. One of the principles is defense in depth. The idea being, even if script somehow were to sneak by the first layer of defense, the impact that the script could have is restricted, if not entirely negated.

We think other RSS readers and platforms will implement sanitization if they have not done so already. It looks like a natural step forward for the web-based RSS readers in particular.

---
Tag:

Add to Del.icio.us | Digg | Yahoo! My Web | Furl

Get all the updates in RSS:




About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - 1998-2009 All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds