Top Security News |
RSS Exposes Users to Attack
ZDNet reports from the Black Hat conference in Las Vegas that security experts are increasingly concerned about the potential for malicious attacks perpetrated through web feeds.
RFID Technology Vulnerable To Malware
RFID tags may become commonplace in the future, but not a lot of people are looking forward to widespread implementation. There was already concern that these "smart barcodes" would allow consumers' habits to be more easily tracked, and that the technology could facilitate identity theft. It turns out that RFID tags can transmit computer viruses, as well.
NSA Eyes Social Networking Sites
It was revealed last month that the National Security Agency has been tracking the phone calls of millions...
Root Kit Hunter
I had a strange problem with one of my own RedHat machines the other day. Very simply, I couldn't su to root, and I couldn't even login at the console as root.
|
|
|
08.09.06
Microsoft Responds On RSS Concerns
 By
David A. Utter
After a Black Hat presentation called the potential of RSS feeds as an attack vector into question, Microsoft described steps they have taken to mitigate this.
RSS offers some distinct advantages over email. Being an opt-in only method, it eliminates the potential for external spammers to jam up one's feed reader with useless messages, as happens with email inboxes.
Should a feed be compromised, as was discussed at Black Hat in a session on RSS security, the attacker could hit thousand of subscribers with a malicious payload almost instantly.
That presentation also picked on web-based RSS readers, citing their vulnerability to SQL injection, command execution, and DoS attacks. These are scenarios that Microsoft wants to eliminate before they become a reality.
In the Team RSS Blog, Walter vonKoch of Microsoft wrote of how the company has considered potential issues in IE7 and the Windows RSS Platform. They have worked on ways to thwart possible threats from scripts in feeds.
The RSS Platform performs a sanitization process that removes script from HTML fields in a feed. The sanitized form remains persistent in the RSS Store, so when other applications like IE7 access it, they will not be exposed to threats present in the original form.
In IE7, Feed View runs in the Restricted Zone when displaying feeds, vonKoch wrote. This takes place no matter where a feed originated. Script is disabled in the Restricted Zone, as are URL Actions that could be triggered by active content.
Said vonKoch: We designed and implemented the RSS features using the principles of the Secure Development Lifecycle as embraced by Microsoft. One of the principles is defense in depth. The idea being, even if script somehow were to sneak by the first layer of defense, the impact that the script could have is restricted, if not entirely negated.
We think other RSS readers and platforms will implement sanitization if they have not done so already. It looks like a natural step forward for the web-based RSS readers in particular.
About the Author:
David Utter is a business and technology writer with WebProNews.
|
