Ask the Expert

What are the security risks of Windows Vista RSS functionality?

What are the security implications of placing RSS functionality into an operating system, as Microsoft has planned to do?

    Requires Free Membership to View

Really Simple Syndication, or RSS, has fast become one of the primary methods for online news sites and blogs to make their content easily accessible. Its increased popularity for other types of subject matter, such as audio-based serialized content, meant that it was only a matter of time before it became an integral element of browsers and operating systems.

The RSS support in Windows Vista, primarily through Version 7 of its Internet Explorer Web browser, is built on the Windows RSS Platform, consisting of three components that expose feed handling and management to other Windows applications. All feeds managed by the RSS Platform are stored in the Common RSS Data Store. Feeds are cleansed of potentially malicious code by stripping out scripts and embedded objects. The Common RSS sync download engine downloads content at periodic intervals, using Attachment Execute Services to prevent automatic downloading of potentially malicious file types. Finally, the Common RSS Feed List can be queried by the RSS Platform APIs, giving application developers access to the list of feeds to which the user is subscribed.

The addition of the Windows RSS Platform is not aimed solely at making it easier for users to find, subscribe and manage their RSS feeds. It also means that developers can incorporate the rich capabilities of RSS into their applications. Events in an RSS feed, for example, can be displayed directly in an RSS-enabled calendar application, or a sales manager can have the latest online sales figures fed into his accounts application.

However, any technology that allows data to be shared across applications carries risks. In the same way that applications that use a browser for their user interface can become vulnerable to any browser bugs and vulnerabilities, applications that incorporate RSS can fall prey to any vulnerabilities found in the RSS-enabling technology. Also adware, spyware and other malicious software writers will no doubt start trying to find ways to add an RSS feed to the user's global feed repository or use it as a gateway to other data.

Microsoft has done a credible job in eliminating many exploitable vulnerabilities through its security development lifecycle (SDL) and renewed focus on security in its Windows operating system and major applications. The security features in Windows Vista mean that hackers are having to work harder to compromise users' PCs. But what about RSS-enabled applications from other vendors? You may feel that you can trust Internet Explorer to secure the login credentials for feeds such as Gmail that require a password to access them, but what about extending that trust to other applications? I would certainly test new RSS-enabled applications in a safe environment before allowing them to be used throughout an organization. And as with any relatively new technology, particularly one whose functionality is being expanded rapidly, security policies should be updated to define guidelines for acceptable usage.

This was first published in April 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: