So, what are the security risks?
They fall into two categories: attacks against RSS software itself, and attacks that use RSS to distribute malicious code to browsers and mail readers.
The software in RSS readers parses the XML, and it is conceivable that the software can have a buffer overflow, format string, or other vulnerability that an attacker could exploit. If that is indeed the case, the RSS reader can be exposed to such attacks whenever it updates itself; no human interaction is even necessary. While there isn't a history of specific flaws in RSS readers, it's certainly something to keep an eye on, given all of the client-side vulnerabilities in other software we've seen recently.
Attackers could also embed malicious scripts in RSS feeds, hoping someone will use a browser to read the feed and then run the malicious script inside the browser. There is indeed a history of this kind of attack. About a year ago, Yahoo's in-line RSS reader was discovered to have a cross-site scripting flaw.
An attacker could create an RSS feed that includes a cookie-stealing browser script and push the feed to someone who uses the Yahoo Web site to read RSS updates. An attacker could then steal all of their Yahoo-related cookies.
What's the best defense against these kinds of attacks? First off, make sure you keep your client-side applications patched; that includes browsers and RSS readers. Next, deploy an antivirus and antispyware tool to try to foil malware that might get loaded. And, finally, keep your RSS feeds pared down to those for which you have a defined business purpose. Don't subscribe to hundreds of useless feeds; focus on those that you really need.
Dig Deeper on Threats and vulnerabilities
Related Q&A from Ed Skoudis
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology. Continue Reading
Improper input validation leads to numerous kinds of attacks, including cross-site scripting, SQL injection and command injection. In this expert Q&A... Continue Reading
Teredo allows internal networks to transition to IPv6, interconnecting them through their NAT devices and across the IPv4 Internet. Ed Skoudis ... Continue Reading