So, what are the security risks?
They fall into two categories: attacks against RSS software itself, and attacks that use RSS to distribute malicious code to browsers and mail readers.
The software in RSS readers parses the XML, and it is conceivable that the software can have a buffer overflow, format string, or other vulnerability that an attacker could exploit. If that is indeed the case, the RSS reader can be exposed to such attacks whenever it updates itself; no human interaction is even necessary. While there isn't a history of specific flaws in RSS readers, it's certainly something to keep an eye on, given all of the client-side vulnerabilities in other software we've seen recently.
Attackers could also embed malicious scripts in RSS feeds, hoping someone will use a browser to read the feed and then run the malicious script inside the browser. There is indeed a history of this kind of attack. About a year ago, Yahoo's in-line RSS reader was discovered to have a cross-site scripting flaw.
An attacker could create an RSS feed that includes a cookie-stealing browser script and push the feed to someone who uses the Yahoo Web site to read RSS updates. An attacker could then steal all of their Yahoo-related cookies.
What's the best defense against these kinds of attacks? First off, make sure you keep your client-side applications patched; that includes browsers and RSS readers. Next, deploy an antivirus and antispyware tool to try to foil malware that might get loaded. And, finally, keep your RSS feeds pared down to those for which you have a defined business purpose. Don't subscribe to hundreds of useless feeds; focus on those that you really need.
Related Q&A from Ed Skoudis
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ...continue reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ...continue reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.