RSS in Longhorn: The Security Question

Analysts warn that Microsoft's plan to bake content syndication deep into the belly of Longhorn will open new attack vectors for spammers, phishers and malware writers.

Microsoft Corp.s ambitious plan to bake RSS deep into the belly of Longhorn will open new attack vectors for spammers, phishers and malicious hackers, security experts say.

"It is inevitable, without a doubt. When Longhorn comes out, attackers will pounce on every new thing to see if Microsoft did it correctly. You can bet RSS integration will be one of those things attackers will want to exploit," said John Pescatore, senior vice president of research at Gartner Inc.

Looking to introduce the fast-growing content syndication technology to a mass audience, Microsoft plans to embed an RSS (Really Simple Syndication) platform to automatically distribute feeds into Windows applications, both its own and those from developers.

The plan is for Longhorn to provide a common feed list of subscriptions and a common feed store of data in Longhorn, which will be available to applications through Windows APIs. The Redmond, Wash., companys vision also includes RSS discovery and easy-to-subscribe options in the upcoming Internet Explorer 7 browser refresh.

With Longhorn, Microsoft will make RSS more understandable to the average, non-technical end user, but once the technology reaches critical mass it will surely become a lucrative target for malicious hackers.

Richard Stiennon, director of threat research at anti-spyware company Webroot Software Inc., has long predicted that RSS will be used to serve up malicious code. "Its not yet a big target, but once RSS usage becomes as widespread as e-mail or instant messaging, the hackers will find a way to use it to distribute malware," Stiennon said in a recent interview with Ziff Davis Internet News.

Gartners Pescatore believes crackers will pounce on Microsofts implementation of RSS to "see if any mistakes were made."

"The RSS threat is a legitimate one, and Microsoft will have to be very careful about how its baked into the OS. The potential for danger is very, very real," Pescatore said.

"I see it more as a spam threat in the beginning," he added. "With RSS, users are automatically pulling in news feeds, so the authentication side has to be addressed to make sure people are getting the feed they subscribed to. Im positive well see an RSS spam problem because spammers will find a way around the authentication weakness."

Once weaknesses are identified, Pescatore believes the phishers will pounce and try to lure users to visit fake sites to steal confidential information. This type of threat is especially apparent on RSS search engines that pull results from multiple Web sites and present those as an RSS feed.

/zimages/6/28571.gifClick here to read about industry reaction to Microsofts RSS in Longhorn announcement.

Because Microsoft is embracing the use of enclosures to deliver attachments in RSS feeds, there is also a risk that rigged media files and other attachment types can find their way on a users desktop.

"Were seeing Podcasts become quite popular, and we already know that media player flaws can cause serious damage. Put them together and you will inevitably have problems," Pescatore added.

"Any time a protocol has the word simple in it, there will be complicated ways to attack it. We really havent scratched the surface of the threats yet. Theres a lot of active content flowing through RSS aggregators, and the malware writers will want to pounce."

RSS aggregator developers have addressed security by stripping out potentially dangerous tags before the content is displayed to the end user, but unless server-client authentication is strengthened, Webroots Stiennon said a RSS-enabled world will struggle to cope with malware.

A Microsoft spokeswoman said the Longhorn developers working on RSS integration will use the mandatory SDL (Security Development Lifecycle) that outlines the cradle-to-grave procedures used for software creation at Microsoft.

The SDL, which was formalized in 2004 for software coming out of Redmond, includes developer training, threat-modeling, code reviews and testing. The procedure is mandatory for all future Internet-facing software.

/zimages/6/28571.gifClick here to read about the SDL principles.

The SDL framework, which covers four high-level principles covering every stage of software creation, was first implemented in Windows Server 2003, SQL Server 2000 Service Pack 3 and Exchange 2000 Server Service Pack 3, and Microsoft officials say the eventual security improvements have been significant.

Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000, compared with just 24 advisories in Windows Server 2003. The numbers are the same for pre- and post-SDL advisories for SQL Server 2000 and Exchange Server 2000.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.