Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Microsoft Defends IE 7's RSS Security

Microsoft on Tuesday countered criticism leveled at Internet Explorer 7's implementation of RSS, and said that the browser includes several defensive techniques to keep attackers from using feeds to infect users' PCs.

Last week, Bob Auger, an engineer with Web security vendor SPI Dynamics, and
Caleb Sima, one of the company's co-founders, gave a presentation at Black
Hat that discussed ways criminals could compromise computers using scripts
in RSS (Real Simple Syndication) feeds. By creating a malicious blog site, for example, an attacker could inject noxious JavaScript code via an RSS feed to end users' machines. Like other script-based attacks, the end result could be anything from identity theft to computer hijack.

Although Microsoft's IE 7 wasn't specifically targeted in the presentation, Walter VonKoch, a program manager for Internet Explorer, responded with a blog entry that detailed the browser's RSS security steps.

"When downloading feeds, the RSS Platform passes the feed through a sanitization process which among other things removes script from HTML fields like the description element," wrote VonKoch. "Also, text fields, like the title element, are treated as text and not as HTML."

Additionally, IE 7 displays RSS feeds in the browser's "Restricted" security zone independent of where the feed originated (even from a site, say, that was already listed in IE's "Trusted" zone).

  • 1