The Mother Board forums. Free tech support, motherboard ID, and more.
It is currently Sun Jan 20, 2019 11:21 am

All times are UTC - 8 hours

Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Sun Aug 06, 2006 5:28 pm 
Black Belt 3rd Degree
Black Belt 3rd Degree

Joined: Wed Nov 10, 2004 7:42 pm
Posts: 3844
Location: Oklahoma City, OK

LAS VEGAS — Reading blogs via popular RSS or Atom feeds may expose computer users to hacker attacks, a security expert warned.

Attackers could insert malicious JavaScript in content that is transferred to subscribers of data feeds that use the popular RSS (Really Simple Syndication) or Atom formats, Bob Auger, a security engineer with Web security company SPI Dynamics said in a presentation at the Black Hat security event here Thursday.

The problem doesn't affect only blogs—any kind of information feed using any kind of format could potentially be used to transmit malicious content to a subscriber, Auger said. Users, for example, could subscribe to mailing lists or news websites via RSS, he said, noting "this is about the entire concept of Web feeds."

SPI Dynamics examined a number of online and offline applications used to read RSS and Atom feeds. In many cases any JavaScript code delivered on the feed would run on the user's PC, meaning it could be vulnerable to attack, Auger said. JavaScript is a scripting language that experts say is increasingly causing security concerns.

Attackers could exploit the problem by setting up a malicious blog and enticing a user to subscribe to the RSS feed. More likely, however, they would add malicious JavaScript to the comments on a trusted blog, Auger said. "A lot of blogs will take user comments and stick them into their own RSS feeds," he said.

Also, attackers could send malicious code to mailing lists that offer RSS or Atom feeds and commandeer vulnerable systems that way, Auger said. Feeds are popular because they let people consolidate information streams from multiple sites, such as blogs, in one application, called a feed reader, removing the need to surf to multiple sites.

Many of the popular feed reading applications are faulted because the designers failed to add valuable security checks, Auger said. In particular, the applications should not allow JavaScript that is included in feeds to run. Instead, it should be filtered out, he said.

Additionally, some reader software on Windows systems uses Internet Explorer to display feed content, but doesn't use basic security settings that isolate the content. Instead, the JavaScript is downloaded to the PC and has full access, which can fully expose a user's PC, Auger said.

"A large percentage of the readers I tested had some kind of an issue," he said. In his presentation Auger listed Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader as vulnerable.

As protection, users could switch to a non-vulnerable reader. Also, feed publishers could ensure that their feeds don't include any malicious JavaScript or any script at all, Auger said. Some services, however, rely on JavaScript to deliver ads in feeds, he noted.

"You cant hug your family with Nuclear Arms"

Asus F2A85-V Pro
AMD A10-5800K APU @ 4.5GHz
8GB G. Skill 1866
550w PSU
Hyper 212 Evo

Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC - 8 hours

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group