How can attackers exploit RSS software flaws?

RSS syndication feeds are a convenient way to get your news, blogs or other favorite content, but these popular tools are often left exposed. In this Q&A, Ed Skoudis explains how malicious hackers can attack RSS software and distribute malicious code.

RSS may be more convenient than email, but what are the risks of using or permitting the use of syndication protocols?
RSS syndication feeds are a convenient way to get data, like blogs or news stories, from frequently updated online news sources. RSS distributes this information in XML, which is then read using a special RSS reader, often called an aggregator. Browsers or email readers can also fetch and parse RSS feeds. There are a variety of RSS readers, and most major browsers today support RSS either natively or through a plug-in.

So, what are the security risks?

They fall into two categories: attacks against RSS software itself, and attacks that use RSS to distribute malicious code to browsers and mail readers.

The software in RSS readers parses the XML, and it is conceivable that the software can have a buffer overflow, format string, or other vulnerability that an attacker could exploit. If that is indeed the case, the RSS reader can be exposed to such attacks whenever it updates itself; no human interaction is even necessary. While there isn't a history of specific flaws in RSS readers, it's certainly something to keep an eye on, given all of the client-side vulnerabilities in other software we've seen recently.

Attackers could also embed malicious scripts in RSS feeds, hoping someone will use a browser to read the feed and then run the malicious script inside the browser. There is indeed a history of this kind of attack. About a year ago, Yahoo's in-line RSS reader was discovered to have a cross-site scripting flaw.

An attacker could create an RSS feed that includes a cookie-stealing browser script and push the feed to someone who uses the Yahoo Web site to read RSS updates. An attacker could then steal all of their Yahoo-related cookies.

What's the best defense against these kinds of attacks? First off, make sure you keep your client-side applications patched; that includes browsers and RSS readers. Next, deploy an antivirus and antispyware tool to try to foil malware that might get loaded. And, finally, keep your RSS feeds pared down to those for which you have a defined business purpose. Don't subscribe to hundreds of useless feeds; focus on those that you really need.

More information:

  • At Black Hat USA 2006, a researcher demonstrated how RSS and Atom feeds can spread the payload of a zero-day attack. Senior News Writer Bill Brenner details the threat.
  • Mike Chapple explains which straightforward measures can combat RSS flaws.
  • Dig Deeper on Threats and vulnerabilities

    Enterprise Desktop
    Cloud Computing