2 min read

Microsoft Defends IE7's RSS Security

A critic says attackers could use malicious JavaScript to launch an attack through RSS, but Microsoft says the new Internet Explorer has some tricks to defend it.
Microsoft on Tuesday countered criticism leveled at Internet Explorer 7's implementation of RSS, and said that the browser includes several defensive techniques to keep attackers from using feeds to infect users' PCs.

Last week, Bob Auger, an engineer with Web security vendor SPI Dynamics, and Caleb Sima, one of the company's co-founders, gave a presentation at Black Hat that discussed ways criminals could compromise computers using scripts in RSS (Real Simple Syndication) feeds. By creating a malicious blog site, for example, an attacker could inject noxious JavaScript code via an RSS feed to end users' machines. Like other script-based attacks, the end result could be anything from identity theft to computer hijack.

Although Microsoft's IE 7 wasn't specifically targeted in the presentation, Walter VonKoch, a program manager for Internet Explorer, responded with a blog entry that detailed the browser's RSS security steps.

"When downloading feeds, the RSS Platform passes the feed through a sanitization process which among other things removes script from HTML fields like the description element," wrote VonKoch. "Also, text fields, like the title element, are treated as text and not as HTML."

Additionally, IE 7 displays RSS feeds in the browser's "Restricted" security zone independent of where the feed originated (even from a site, say, that was already listed in IE's "Trusted" zone).

"By default, script is disabled in the Restricted zone," VonKoch noted.

IE 7, which is currently in its third beta stage, displays RSS feeds in specially-crafted pages.