August 20, 2006
@ 07:06 PM
Comments [9]
Updated: Malicious Javascript in Feeds and RSS Bandit

UPDATE: On inspecting the code it seems that my assertions in this post are incorrect. The change we made in the last release was not to enable Javascript by default. Instead it was to always ignore the Javascript setting chosen by the user for the newspaper view. This means that the current release of RSS Bandit is vulnerable to the majority of the flaws outlined in article linked below. I'll work on getting a release out that addresses this issue as soon as I can although this is complicated by the fact that we may not have a snapshot for the last release AND the first half of this week is very busy for me at work. If this security issue is a serious concern to you, my advice is to not use RSS Bandit until a release that addresses this issues is released or to switch to v1.3.0.29 of RSS Bandit which does honor the specified Security restrictions for the newspaper view.

A number of people have either sent me email or posted on the RSS Bandit forums asking whether RSS Bandit is vulnerable to the various issues raised in the article Blog feeds may carry security risk which states

LAS VEGAS--Reading blogs via popular RSS or Atom feeds may expose computer users to hacker attacks, a security expert warns.

Attackers could insert malicious JavaScript in content that is transferred to subscribers of data feeds that use the popular RSS (Really Simple Syndication) or Atom formats, Bob Auger, a security engineer with Web security company SPI Dynamics, said Thursday in a presentation at the Black Hat security event here.
...
"A large percentage of the readers I tested had some kind of an issue," he said. In his presentation, Auger listed Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader as vulnerable.

As protection, people could switch to a nonvulnerable reader. Also, feed publishers could ensure that their feeds don't include malicious JavaScript or any script at all, Auger said. Some services, however, rely on JavaScript to deliver ads in feeds, he noted.

To prevent this sorts of issues RSS Bandit allows users to optionally disable the running of Javascript, ActiveX or Java code in its Options dialog. Up until the last release we disabled Javascript, ActiveX and Java by default. However in the last release, we switched on Javascript by default to enable a particular features (i.e. specifically when you click on the envelope or flag on an item in the newspaper view to change the read or flagged state of an item). This means that by default RSS Bandit is vulnerable to the Javascript related issues mentioned in this article.

How to change this state of affairs is mentioned in the section of our user documentation entitled Changing the web browser security settings which has a screenshot of the Web Browser tab of the Options dialog where browser security restrictions can be set. 

Our users should configure the options to what best eases their security concerns. I'm still debating on what we need to do here in the long term but one thing I doubt we'll do is striping potentially malicious HTML tags since this seems to be a sledgehammer-like approach which may strip valid markup (e.g. <style> tags) from content. It's more likely that I'll remove our features that require enabling Javascript by default than go that route. I'd appreciate thoughts from our users on this.

Update: I was one of the developers contacted by James Snell and have failed to get back to him since I haven't gone through all of the tests he sent me yet.


 

Categories: RSS Bandit
Tracked by:
"Windows Vista RC1 and RSS Bandit" (David Boschmans Weblog) [Trackback]
http://blogs.msdn.com/davbosch/archive/2006/08/25/721765.aspx [Pingback]
« Jon Udell on Open Sourcing XAML and WPF/... | Home | The Windows Live Contacts Gadget is Here... »