Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management

    RSS in Longhorn: The Security Question

    Written by

    Ryan Naraine
    Published June 29, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Microsoft Corp.s ambitious plan to bake RSS deep into the belly of Longhorn will open new attack vectors for spammers, phishers and malicious hackers, security experts say.

      “It is inevitable, without a doubt. When Longhorn comes out, attackers will pounce on every new thing to see if Microsoft did it correctly. You can bet RSS integration will be one of those things attackers will want to exploit,” said John Pescatore, senior vice president of research at Gartner Inc.

      Looking to introduce the fast-growing content syndication technology to a mass audience, Microsoft plans to embed an RSS (Really Simple Syndication) platform to automatically distribute feeds into Windows applications, both its own and those from developers.

      The plan is for Longhorn to provide a common feed list of subscriptions and a common feed store of data in Longhorn, which will be available to applications through Windows APIs. The Redmond, Wash., companys vision also includes RSS discovery and easy-to-subscribe options in the upcoming Internet Explorer 7 browser refresh.

      With Longhorn, Microsoft will make RSS more understandable to the average, non-technical end user, but once the technology reaches critical mass it will surely become a lucrative target for malicious hackers.

      Richard Stiennon, director of threat research at anti-spyware company Webroot Software Inc., has long predicted that RSS will be used to serve up malicious code. “Its not yet a big target, but once RSS usage becomes as widespread as e-mail or instant messaging, the hackers will find a way to use it to distribute malware,” Stiennon said in a recent interview with Ziff Davis Internet News.

      Gartners Pescatore believes crackers will pounce on Microsofts implementation of RSS to “see if any mistakes were made.”

      “The RSS threat is a legitimate one, and Microsoft will have to be very careful about how its baked into the OS. The potential for danger is very, very real,” Pescatore said.

      “I see it more as a spam threat in the beginning,” he added. “With RSS, users are automatically pulling in news feeds, so the authentication side has to be addressed to make sure people are getting the feed they subscribed to. Im positive well see an RSS spam problem because spammers will find a way around the authentication weakness.”

      Once weaknesses are identified, Pescatore believes the phishers will pounce and try to lure users to visit fake sites to steal confidential information. This type of threat is especially apparent on RSS search engines that pull results from multiple Web sites and present those as an RSS feed.

      /zimages/6/28571.gifClick here to read about industry reaction to Microsofts RSS in Longhorn announcement.

      Because Microsoft is embracing the use of enclosures to deliver attachments in RSS feeds, there is also a risk that rigged media files and other attachment types can find their way on a users desktop.

      “Were seeing Podcasts become quite popular, and we already know that media player flaws can cause serious damage. Put them together and you will inevitably have problems,” Pescatore added.

      “Any time a protocol has the word simple in it, there will be complicated ways to attack it. We really havent scratched the surface of the threats yet. Theres a lot of active content flowing through RSS aggregators, and the malware writers will want to pounce.”

      RSS aggregator developers have addressed security by stripping out potentially dangerous tags before the content is displayed to the end user, but unless server-client authentication is strengthened, Webroots Stiennon said a RSS-enabled world will struggle to cope with malware.

      A Microsoft spokeswoman said the Longhorn developers working on RSS integration will use the mandatory SDL (Security Development Lifecycle) that outlines the cradle-to-grave procedures used for software creation at Microsoft.

      The SDL, which was formalized in 2004 for software coming out of Redmond, includes developer training, threat-modeling, code reviews and testing. The procedure is mandatory for all future Internet-facing software.

      /zimages/6/28571.gifClick here to read about the SDL principles.

      The SDL framework, which covers four high-level principles covering every stage of software creation, was first implemented in Windows Server 2003, SQL Server 2000 Service Pack 3 and Exchange 2000 Server Service Pack 3, and Microsoft officials say the eventual security improvements have been significant.

      Pre-SDL, Microsoft released 62 bulletins to fix flaws in Windows 2000, compared with just 24 advisories in Windows Server 2003. The numbers are the same for pre- and post-SDL advisories for SQL Server 2000 and Exchange Server 2000.

      /zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Ryan Naraine

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×