Blog Feeds Vulnerable to Embedded Malware

SPI Dynamics Security Engineers participating at the Black Hat conference in Las Vegas have engaged in a presentation in which they highlighted the vulnerabilities
associated with RSS (Really Simple Syndication) feeds or Atom formats. According to
Caleb Sima, chief technology officer and Robert Auger, security engineer at SPI Dynamics Inc., malicious JavaScript content could be embedded in the RSS feeds in order to find its way to the data feeds subscribers.

Malicious JavaScript code disguised within the text of a data feed could be transferred via the RSS of Atom formats and executed by the subscribers through a limited technique as of now dubbed feed injection. Sima discussed the presently limited spreading of the feed injections techniques, but warned that proof-of-concept for these variants of cross-site scripting attacks is going to increase its area and become a major threat. Sima ultimately stated that this issue will start at the publisher level, and that the responsibility for providing secure RSS feeds fall on the shoulders of the data feeds providers.

Robert Auger mentioned Bloglinesa web-based reader, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader, out of the software readers, as sharing one form or another of this vulnerability, emphasizing that the list was incomplete, comprising only the already confirmed vulnerable readers. He also advised that a temporary workaround security solution is to disable scripts, applets and plug-ins from launching concomitantly within feeds. "Wherever you get data from you can't assume that data is good," he stated.

Sima warned that rendering the JavaScript inoperable is not a solution as RSS and Atom feeds are stored by blog readers as HTML files on the subscribers local HDD, bypassing the Web browser's security settings. He also stated that a viable security solution is the re-encoding of all JavaScipt content, a process that renders it harmless.

More Info: Click Here