So, what are the security risks?
They fall into two categories: attacks against RSS software itself, and attacks that use RSS to distribute malicious code to browsers and mail readers.
The software in RSS readers parses the XML, and it is conceivable that the software can have a buffer overflow, format string, or other vulnerability that an attacker could exploit. If that is indeed the case, the RSS reader can be exposed to such attacks whenever it updates itself; no human interaction is even necessary. While there isn't a history of specific flaws in RSS readers, it's certainly something to keep an eye on, given all of the client-side vulnerabilities in other software we've seen recently.
Attackers could also embed malicious scripts in RSS feeds, hoping someone will use a browser to read the feed and then run the malicious script inside the browser. There is indeed a history of this kind of attack. About a year ago, Yahoo's in-line RSS reader was discovered to have a cross-site scripting flaw.
An attacker could create an RSS feed that includes a cookie-stealing browser script and push the feed to someone who uses the Yahoo Web site to read RSS updates. An attacker could then steal all of their Yahoo-related cookies.
What's the best defense against these kinds of attacks? First off, make sure you keep your client-side applications patched; that includes browsers and RSS readers. Next, deploy an antivirus and antispyware tool to try to foil malware that might get loaded. And, finally, keep your RSS feeds pared down to those for which you have a defined business purpose. Don't subscribe to hundreds of useless feeds; focus on those that you really need.
This was first published in April 2007