When Microsoft releases the next version of its Web browser, the company may usher in a wave of attempted hijacks of syndicated content from legitimate publishers.
The bogus feeds could deliver much of the same malicious code and links affecting computers via the Web and e-mail phishing scams, according to some antivirus and security experts.
In an RSS attack scenario, users click on links that appear to be from trusted sites (sites to which they have subscribed). At the offending sites, victims turn over their personal information to phishers, rather than to legitimate organizations. Or, In another scenario, users access virus-infected content already downloaded to their hard drives, even after an offending Web site has been removed from the Internet.
Two things have been holding criminal hackers back: RSS is not yet a mainstream medium; and there are far too many reader applications to make targeting any one of them worthwhile.
"Just as trust is a crook's friend, diversity is his enemy," said Don Park, who runs Docuverse, a development consultancy based in Redwood City, Calif. Park also edits the blog Don Park's Daily Habit, which features discussion of security issues.
But that may change when Microsoft releases Internet Explorer 7.0, which reportedly supports RSS feeds. (Microsoft is branding the RSS feeds feature in Explorer 7 as "Web feeds.") By bundling RSS feeds as a part of IE 7, and with its forthcoming Windows Vista and Longhorn operating systems, RSS will effectively become ubiquitous.
But the new feature also benefits malware writers.
"Internet Explorer will give (criminal hackers) a mainstream target," said Joe Hartmann, director of antivirus research at Trend Micro, Inc., a Tokyo-based security software and services company. "There is a great potential for its misuse."
Hackers have already written code that tries to modify Web browser bookmarks. And they will undoubtedly attempt to do the same with RSS readers, Hartmann and Park suggested.
Phishers could slip malicious links in with those that are a part of legitimate subscriptions.
A subscriber to one of the Financial Times' RSS feeds, for example, could click on a link to a phony Web site, believing it was associated with the respected U.K.-based newspaper.
Another problem is the automated nature of data syndication. Even if a phishing site is disabled by law enforcement officials, its content may have already been downloaded by thousands of RSS readers, Hartmann said.
RSS subscribers are quick to add subscriptions and slow to remove them, Park said.
"Once one subscribes to a feed, he rarely unsubscribes," he said. "So when a user double-clicks on a post with enclosure, some aggregators will just find an app that can handle that MIME-type and launch it."
However, the news about RSS is not all bad, especially for corporate users.
"The feeds are a part of HTTP traffic that has to go through port 80, and there are tools to secure traffic at that point," said Hartmann, who added that exploits may not appear for a year or two.
Microsoft is also taking action to make its software less hospitable to criminals.
Park said that was the point of his recent blog post about the potential for RSS exploits: "Microsoft will help us identify security issues, not that MS is going to open another can of worms," he said. (The post from Park's blog was picked up by online communities, in which some of the discussions turned against Microsoft.)
Microsoft's anti-phishing feature for Internet Explorer 7 suggests it is trying to stem phishing scams and virus attacks.
"At least they are taking security into account in the design process," said Ero Carrera, an antiviral researcher at Helsinki-based security provider F-Secure Corp. "That's something they were not doing four to five years ago, or longer (with earlier versions of Windows)."
Now, Windows security is not always perfect, said Carrera, "but it is much more tight."