Microsoft Defends IE 7's RSS Security

Last week, Bob Auger, an engineer with Web security vendor SPI Dynamics, and Caleb Sima, one of the company's co-founders, gave a presentation at Black Hat that discussed ways criminals could compromise computers using scripts in RSS (Real Simple Syndication) feeds. By creating a malicious blog site, for example, an attacker could inject noxious JavaScript code via an RSS feed to end users' machines. Like other script-based attacks, the end result could be anything from identity theft to computer hijack.

Although Microsoft's IE 7 wasn't specifically targeted in the presentation, Walter VonKoch, a program manager for Internet Explorer, responded with a blog entry that detailed the browser's RSS security steps.

"When downloading feeds, the RSS Platform passes the feed through a sanitization process which among other things removes script from HTML fields like the description element," wrote VonKoch. "Also, text fields, like the title element, are treated as text and not as HTML."

Additionally, IE 7 displays RSS feeds in the browser's "Restricted" security zone independent of where the feed originated (even from a site, say, that was already listed in IE's "Trusted" zone).

"By default, script is disabled in the Restricted zone," VonKoch noted.

IE 7, which is currently in its third beta stage, displays RSS feeds in specially-crafted pages.