Really Simple Syndication Security
Security concerns have started to grow with Microsoft's announcement that it will build RSS technology into Longhorn.
July 5, 2005
As you probably know by now, Really Simple Syndication (RSS) technology is hotter than a firecracker. The technology is slated to explode into the world of even more users with the eventual release of the next version of Windows (code-named Longhorn).
A slight wave of concern about security has started to grow with Microsoft's announcement that it will build RSS technology into Longhorn. Because Windows is so widely used and RSS will be built in, people have pointed out that RSS could become intruders' avenue of choice for exploiting systems.
RSS can be used to deliver all kinds of content, and by far the most popular content is HTML-based text. However, RSS can be used to deliver more than just text. You might be aware that there are ways to include file attachments in an RSS feed. As a result, we now have exceptionally great technologies such as podcasting, which is a way of delivering audio files as RSS-item attachments. Likewise, RSS can be used to deliver video, software updates, documents, spreadsheets, and all sorts of other files. The possibilities are nearly unlimited. And therein resides the concern.
RSS is a delivery vehicle for content. Some type of helper application is required to read, view, listen to, or otherwise handle that content. For example, if you have RSS deliver an MP3 audio file, then at some point, you'll launch your MP3 player to listen to that file. The same goes for HTML, video, documents, and so on. If any of the applications used to handle RSS-related data have security vulnerabilities, of course intruders will eventually find a way to deliver an exploit.
Because RSS is so widely used and RSS feeds are typically updated in a somewhat automated fashion, the potential is high that someone could exploit a large number of systems very quickly. For example, a problem in your Web browser or media player software could be exploited by delivering specially crafted content.
Combined attacks could be used too. For example, you might subscribe to an RSS feed at a major news site. An intruder might find a way to tweak your HOSTS file and DNS cache so that, unknown to you, your RSS aggregator or RSS reader goes to some other site instead. The RSS aggregator or RSS reader would then pull content from that illegitimate site and possibly launch an exploit on your system. All the while, you're none the wiser, thinking you've simply pulled the latest news articles, which of course would be designed to look exactly like the real thing.
The bottom line is that RSS isn't much of a security risk and poses few, if any, problems in and of itself. The real risks, so far as I can see, are that RSS feeds often interface with other problematic software, such as browsers, assorted media-playing software, and word processing software. To protect users, those applications need to be developed to be as secure as possible. If that isn't accomplished, computer users will be less likely to use the great RSS technology we now enjoy.
About the Author
You May Also Like