Manage Learn to apply best practices and optimize your operations.

What are the security risks of Windows Vista RSS functionality?

The RSS support in Windows Vista exposes feed handling and management to other Windows applications. However, any technology that allows data to be shared across applications carries risks, says expert Michael Cobb.

What are the security implications of placing RSS functionality into an operating system, as Microsoft has planned to do?
Really Simple Syndication, or RSS, has fast become one of the primary methods for online news sites and blogs to make their content easily accessible. Its increased popularity for other types of subject matter, such as audio-based serialized content, meant that it was only a matter of time before it became an integral element of browsers and operating systems.

The RSS support in Windows Vista, primarily through Version 7 of its Internet Explorer Web browser, is built on the Windows RSS Platform, consisting of three components that expose feed handling and management to other Windows applications. All feeds managed by the RSS Platform are stored in the Common RSS Data Store. Feeds are cleansed of potentially malicious code by stripping out scripts and embedded objects. The Common RSS sync download engine downloads content at periodic intervals, using Attachment Execute Services to prevent automatic downloading of potentially malicious file types. Finally, the Common RSS Feed List can be queried by the RSS Platform APIs, giving application developers access to the list of feeds to which the user is subscribed.

The addition of the Windows RSS Platform is not aimed solely at making it easier for users to find, subscribe and manage their RSS feeds. It also means that developers can incorporate the rich capabilities of RSS into their applications. Events in an RSS feed, for example, can be displayed directly in an RSS-enabled calendar application, or a sales manager can have the latest online sales figures fed into his accounts application.

However, any technology that allows data to be shared across applications carries risks. In the same way that applications that use a browser for their user interface can become vulnerable to any browser bugs and vulnerabilities, applications that incorporate RSS can fall prey to any vulnerabilities found in the RSS-enabling technology. Also adware, spyware and other malicious software writers will no doubt start trying to find ways to add an RSS feed to the user's global feed repository or use it as a gateway to other data.

Microsoft has done a credible job in eliminating many exploitable vulnerabilities through its security development lifecycle (SDL) and renewed focus on security in its Windows operating system and major applications. The security features in Windows Vista mean that hackers are having to work harder to compromise users' PCs. But what about RSS-enabled applications from other vendors? You may feel that you can trust Internet Explorer to secure the login credentials for feeds such as Gmail that require a password to access them, but what about extending that trust to other applications? I would certainly test new RSS-enabled applications in a safe environment before allowing them to be used throughout an organization. And as with any relatively new technology, particularly one whose functionality is being expanded rapidly, security policies should be updated to define guidelines for acceptable usage.

This was last published in April 2009

Dig Deeper on Microsoft Windows security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.