IE 7.0 may usher in wave of RSS exploits

By Mark Baard, Contributor 06 Sep 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

When Microsoft releases the next version of its Web browser, the company may usher in a wave of attempted hijacks of syndicated content from legitimate publishers.

The bogus feeds could deliver much of the same malicious code and links affecting computers via the Web and e-mail phishing scams, according to some antivirus and security experts.

In an RSS attack scenario, users click on links that appear to be from trusted sites (sites to which they have subscribed). At the offending sites, victims turn over their personal information to phishers, rather than to legitimate organizations. Or, In another scenario, users access virus-infected content already downloaded to their hard drives, even after an offending Web site has been removed from the Internet.

Related items Microsoft customers don't have a clear view of Vista Deadline for SUS support extended

Two things have been holding criminal hackers back: RSS is not yet a mainstream medium; and there are far too many reader applications to make targeting any one of them worthwhile.

"Just as trust is a crook's friend, diversity is his enemy," said Don Park, who runs Docuverse, a development consultancy based in Redwood City, Calif. Park also edits the blog Don Park's Daily Habit, which features discussion of security issues.

But that may change when Microsoft releases Internet Explorer 7.0, which reportedly supports RSS feeds. (Microsoft is branding the RSS feeds feature in Explorer 7 as "Web feeds.") By bundling RSS feeds as a part of IE 7, and with its forthcoming Windows Vista and Longhorn operating systems, RSS will effectively become ubiquitous.

But the new feature also benefits malware writers.

"Internet Explorer will give (criminal hackers) a mainstream target," said Joe Hartmann, director of antivirus research at Trend Micro, Inc., a Tokyo-based security software and services company. "There is a great potential for its misuse."

Hackers have already written code that tries to modify Web browser bookmarks. And they will undoubtedly attempt to do the same with RSS readers, Hartmann and Park suggested.

Internet Explorer will give (criminal hackers) a mainstream target. There is a great potential for its misuse." Joe Hartmann director of AV research, Trend Micro

Phishers could slip malicious links in with those that are a part of legitimate subscriptions.

A subscriber to one of the Financial Times' RSS feeds, for example, could click on a link to a phony Web site, believing it was associated with the respected U.K.-based newspaper.

Another problem is the automated nature of data syndication. Even if a phishing site is disabled by law enforcement officials, its content may have already been downloaded by thousands of RSS readers, Hartmann said.

RSS subscribers are quick to add subscriptions and slow to remove them, Park said.

"Once one subscribes to a feed, he rarely unsubscribes," he said. "So when a user double-clicks on a post with enclosure, some aggregators will just find an app that can handle that MIME-type and launch it."

However, the news about RSS is not all bad, especially for corporate users.

"The feeds are a part of HTTP traffic that has to go through port 80, and there are tools to secure traffic at that point," said Hartmann, who added that exploits may not appear for a year or two.

Microsoft is also taking action to make its software less hospitable to criminals.

Park said that was the point of his recent blog post about the potential for RSS exploits: "Microsoft will help us identify security issues, not that MS is going to open another can of worms," he said. (The post from Park's blog was picked up by online communities, in which some of the discussions turned against Microsoft.)

Microsoft's anti-phishing feature for Internet Explorer 7 suggests it is trying to stem phishing scams and virus attacks.

"At least they are taking security into account in the design process," said Ero Carrera, an antiviral researcher at Helsinki-based security provider F-Secure Corp. "That's something they were not doing four to five years ago, or longer (with earlier versions of Windows)."

Now, Windows security is not always perfect, said Carrera, "but it is much more tight."

Tags: Malware, Viruses, Trojans and Spyware,  Web Browser Security,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Web Browser Security Exploit code targets Internet Explorer zero-day display flaw InZero Systems launches hardware-based security gateway Web security firm ranks Firefox, Safari browsers as flaw prone Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology Web Browser Security Research Email and Messaging Threats (spam, phishing, instant messaging) How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Phishing attacks to remain a major problem, say security experts Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary