[ISN] RSS in Longhorn: The Security Question

[InfoSec News]

http://www.eweek.com/article2/0,1895,1833035,00.asp

By Ryan Naraine 
June 29, 2005 

Microsoft Corp.'s ambitious plan to bake RSS deep into the belly of
Longhorn will open new attack vectors for spammers, phishers and
malicious hackers, security experts say.

"It is inevitable, without a doubt. When Longhorn comes out, attackers
will pounce on every new thing to see if Microsoft did it correctly.  
You can bet RSS integration will be one of those things attackers will
want to exploit," said John Pescatore, senior vice president of
research at Gartner Inc.

Looking to introduce the fast-growing content syndication technology
to a mass audience, Microsoft plans to embed an RSS (Really Simple
Syndication) platform to automatically distribute feeds into Windows
applications, both its own and those from developers.

The plan is for Longhorn to provide a common feed list of
subscriptions and a common feed store of data in Longhorn, which will
be available to applications through Windows APIs. The Redmond, Wash.,
company's vision also includes RSS discovery and easy-to-subscribe
options in the upcoming Internet Explorer 7 browser refresh.

With Longhorn, Microsoft will make RSS more understandable to the
average, non-technical end user, but once the technology reaches
critical mass it will surely become a lucrative target for malicious
hackers.

Richard Stiennon, director of threat research at anti-spyware company
Webroot Software Inc., has long predicted that RSS will be used to
serve up malicious code. "It's not yet a big target, but once RSS
usage becomes as widespread as e-mail or instant messaging, the
hackers will find a way to use it to distribute malware," Stiennon
said in a recent interview with Ziff Davis Internet News.

Gartner's Pescatore believes crackers will pounce on Microsoft's
implementation of RSS to "see if any mistakes were made."

"The RSS threat is a legitimate one, and Microsoft will have to be
very careful about how it's baked into the OS. The potential for
danger is very, very real," Pescatore said.

"I see it more as a spam threat in the beginning," he added. "With
RSS, users are automatically pulling in news feeds, so the
authentication side has to be addressed to make sure people are
getting the feed they subscribed to. I'm positive we'll see an RSS
spam problem because spammers will find a way around the
authentication weakness."

Once weaknesses are identified, Pescatore believes the phishers will
pounce and try to lure users to visit fake sites to steal confidential
information. This type of threat is especially apparent on RSS search
engines that pull results from multiple Web sites and present those as
an RSS feed.

Because Microsoft is embracing the use of enclosures to deliver
attachments in RSS feeds, there is also a risk that rigged media files
and other attachment types can find their way on a user's desktop.

"We're seeing Podcasts become quite popular, and we already know that
media player flaws can cause serious damage. Put them together and you
will inevitably have problems," Pescatore added.

"Any time a protocol has the word 'simple' in it, there will be
complicated ways to attack it. We really haven't scratched the surface
of the threats yet. There's a lot of active content flowing through
RSS aggregators, and the malware writers will want to pounce."

RSS aggregator developers have addressed security by stripping out
potentially dangerous tags before the content is displayed to the end
user, but unless server-client authentication is strengthened,
Webroot's Stiennon said a RSS-enabled world will struggle to cope with
malware.

A Microsoft spokeswoman said the Longhorn developers working on RSS
integration will use the mandatory SDL (Security Development
Lifecycle) that outlines the cradle-to-grave procedures used for
software creation at Microsoft.

The SDL, which was formalized in 2004 for software coming out of
Redmond, includes developer training, threat-modeling, code reviews
and testing. The procedure is mandatory for all future Internet-facing
software.

The SDL framework, which covers four high-level principles covering
every stage of software creation, was first implemented in Windows
Server 2003, SQL Server 2000 Service Pack 3 and Exchange 2000 Server
Service Pack 3, and Microsoft officials say the eventual security
improvements have been significant.

Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000,
compared with just 24 advisories in Windows Server 2003. The numbers
are the same for pre- and post-SDL advisories for SQL Server 2000 and
Exchange Server 2000.