[ISN] Blog feeds may carry security risk

From: InfoSec News (alerts@private)
Date: Fri Aug 04 2006 - 09:47:00 PDT


http://news.com.com/Blog+feeds+may+carry+security+risk/2100-1002_3-6102171.html

By Joris Evers
Staff Writer, CNET News.com
August 4, 2006

LAS VEGAS -- Reading blogs via popular RSS or Atom feeds may expose 
computer users to hacker attacks, a security expert warns.

Attackers could insert malicious JavaScript in content that is transferred 
to subscribers of data feeds that use the popular RSS (Really Simple 
Syndication) or Atom formats, Bob Auger, a security engineer with Web 
security company SPI Dynamics, said Thursday in a presentation at the 
Black Hat security event here.

The problem doesn't affect only blogs--any kind of information feed using 
any kind of format could potentially be used to transmit malicious content 
to a subscriber, Auger said. People, for example, subscribe to mailing 
lists and news Web sites via RSS, he said, noting "this is about the 
entire concept of Web feeds."

SPI Dynamics examined a number of online and offline applications used to 
read RSS and Atom feeds. In many cases, any JavaScript code delivered on 
the feed would run on the user's PC, meaning it could be vulnerable to 
attack, Auger said. JavaScript is a scripting language that experts say is 
increasingly causing security concerns.

Attackers could exploit the problem by setting up a malicious blog and 
enticing a user to subscribe to the RSS feed. More likely, however, they 
would add malicious JavaScript to the comments on a trusted blog, Auger 
said. "A lot of blogs will take user comments and stick them into their 
own RSS feeds," he said.

Also, attackers could send malicious code to mailing lists that offer RSS 
or Atom feeds and commandeer vulnerable systems that way, Auger said. 
Feeds are popular because they let people consolidate information streams 
from multiple sites, such as blogs, in one application, called a feed 
reader, removing the need to surf to multiple sites.

Many of the popular feed reading applications are faulted because the 
designers have failed to add valuable security checks, Auger said. In 
particular, the applications should not allow JavaScript that is included 
in feeds to run. Instead, it should be filtered out, he said.

Additionally, some reader software on Windows systems uses Internet 
Explorer to display feed content, but doesn't use basic security settings 
that isolate the content. Instead, the JavaScript is downloaded to the PC 
and has full access, which can fully expose a person's PC, Auger said.

"A large percentage of the readers I tested had some kind of an issue," he 
said. In his presentation, Auger listed Bloglines, RSS Reader, RSS Owl, 
Feed Demon, and Sharp Reader as vulnerable.

As protection, people could switch to a nonvulnerable reader. Also, feed 
publishers could ensure that their feeds don't include malicious 
JavaScript or any script at all, Auger said. Some services, however, rely 
on JavaScript to deliver ads in feeds, he noted.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Fri Aug 04 2006 - 09:53:33 PDT