Network Security News

Internet transformed into a replica of our unstable reality; now the cyberthreats propagated to every data flow, utilize any data format. RSS feeds were no more than a convenient data representation, useful to read many sources of information at a single place. However, malicious data can be added even to feeds - this is an unpleasant discovery. CNET News tells more in Blog feeds may carry security risk.

The story goes: reading blogs via popular RSS or Atom feeds may expose computer users to hacker attacks, a security expert warns.

Attackers could insert malicious JavaScript in content that is transferred to subscribers of data feeds that use the popular RSS (Really Simple Syndication) or Atom formats, Bob Auger, a security engineer with Web security company SPI Dynamics, said Thursday in a presentation at the Black Hat security event here.

The problem doesn't affect only blogs--any kind of information feed using any kind of format could potentially be used to transmit malicious content to a subscriber, Auger said. People, for example, subscribe to mailing lists and news Web sites via RSS, he said, noting "this is about the entire concept of Web feeds."

SPI Dynamics examined a number of online and offline applications used to read RSS and Atom feeds. In many cases, any JavaScript code delivered on the feed would run on the user's PC, meaning it could be vulnerable to attack, Auger said. JavaScript is a scripting language that experts say is increasingly causing security concerns.

Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said.

Also, attackers could send malicious code to mailing lists that offer RSS or Atom feeds and commandeer vulnerable systems that way, Auger said. Feeds are popular because they let people consolidate information streams from multiple sites, such as blogs, in one application, called a feed reader, removing the need to surf to multiple sites.

Many of the popular feed reading applications are faulted because the designers have failed to add valuable security checks, Auger said. In particular, the applications should not allow JavaScript that is included in feeds to run. Instead, it should be filtered out, he said.

Additionally, some reader software on Windows systems uses Internet Explorer to display feed content, but doesn't use basic security settings that isolate the content. Instead, the JavaScript is downloaded to the PC and has full access, which can fully expose a person's PC, Auger said.

This demonstrates the overall trend: security considerations aren't always taken into account, when a new technique, technology etc is being propagated. JavaScript security model isn't always implemented flawlessly in a number of popular products. Of course, monitoring all program activity could warn in such a cases, but reality shows that too powerful a monitoring may result in the adverse effect: people, after having many times to decide whether to grant an application right to do potentially dangerous action, become tired and either switch off monitors or accept whatever they offer.

Problems of such type can't be delegated to end users - simply because users are the weakest chain in any security model.

This article was brought to you by the developers of IPHost Network Monitor, network and server monitoring software.