More RSS Stuff (I’m still not convinced)

Posted by in Administrative on Aug 9, 2006

OK, so there was some fiery banter over the weekend (half of which got lost
because of the server restore) about my picking on SPI – or more specifically my
picking on Caleb’s comments to the press – about the potential for significant
malware that utilizes RSS (at least in the near-term).  Anyway, I thought
I’d follow up on that and pass along a link that SPI sent around to a whitepaper
that they’ve put together that further outlines their position on this. 
The whitepaper, "Feed
Injection in Web 2.0" makes for an interesting read, but I’m still not
getting it entirely.  As far as I can tell, the point of the paper seems to
be:

  • You can download content that’s created by a potentially dangerous person
  • That content can get rendered by your reader and potentially execute
    scripts
  • Sometimes readers don’t implement security the right way

It seems to me like the first two bullets are sort of the point of
syndication: somebody creates content for others to view – that content might
include client-side functionality (scripts.)  The third bullet – while both
true and interesting – is also equally true of web content, flash, email, and
all sorts of other communication methods. So why is it unique to RSS?

Anyway, not to stir back up the bee’s nest, but I’m still not convinced that
there’s anything unique to RSS that makes it more dangerous than other
protocols/communication vectors; I don’t think it’s more likely to facilitate
malware, I don’t think it’s more likely to engender end-user attacks, and I
don’t think it’s likely that it’ll be a common attack vector in general. 
But that’s just my two cents…

Search
  • http://infosecplace.com/blog Michael R. Farnum

    I agree with your last paragraph except for “I don’t think it’s likely that it’ll be a common attack vector in general.” As common and popular as blogs are, I can easily see it becoming an attack vector for someone trying to create a botnet. Many people spend a lot of time blog hopping, just looking for some cool new blogs. The free blog services facilitate that hopping with the usual bars at the top of the screen.

    With so many people who have no idea what they are doing throwing togtether blogs and not controlling comments, you may have a very easy way for bad guys to infect machines. And you can’t always depend on the blog provider to stop it for you.

  • http://www.securitycurve.com Ed

    Micheal,

    Well, I’ll buy that. I think there are a few factors: RSS readers are more diverse than web browsers; for example, just looking at traffic statistics, most web browsers seem to be either firefox or IE (on various platforms, but still those two), whereas there are at least 10 different RSS readers in play (SharpReader, RSS Reader, Bloglines, etc.) So, probably at least one or two of those clients are implementing functionality that’s dangerous according to the paper.

    But I guess my point is that I don’t think the problem is RSS itself – it could be a vector for nastiness in the way that SPI describes – but not because of an inherent problem in RSS, but because of the way it’s implemented… By analogy, the recent bugs in IE pointed out by HD Moore make browsing more risky, but because of the browser implementation, not because of an inherent problem with HTML. I think the same is true of RSS…

    Anyway, I guess this is a controversial opinion, but as always I reserve the right to be totally wrong. :-)

    -E

TwitterRssFacebook