Microsoft on Tuesday countered criticism leveled at Internet Explorer 7's implementation of RSS, and said that the browser includes several defensive techniques to keep attackers from using feeds to infect users' PCs.
Last week, Bob Auger, an engineer with Web security vendor SPI Dynamics, and
Caleb Sima, one of the company's co-founders, gave a presentation at Black
Hat that discussed ways criminals could compromise computers using scripts
Although Microsoft's IE 7 wasn't specifically targeted in the presentation, Walter VonKoch, a program manager for Internet Explorer, responded with a blog entry that detailed the browser's RSS security steps.
"When downloading feeds, the RSS Platform passes the feed through a sanitization process which among other things removes script from HTML fields like the description element," wrote VonKoch. "Also, text fields, like the title element, are treated as text and not as HTML."
Additionally, IE 7 displays RSS feeds in the browser's "Restricted" security zone independent of where the feed originated (even from a site, say, that was already listed in IE's "Trusted" zone).