RSS Integration in to Longhorn Poses Security Issues

Following all the hype concerning Microsoft's "adoption" of RSS, some voices stand out and start discussing the security issues this poses.

Here are just some selected comments ...

Don Park's Daily Habit:

"Blogging and syndicated data technologies in general have yet to fully test the fires of hostile computing world. As their prime time nears, they will be subject to abuse and exploitation.

For example, the primary mechanism behind podcast, RSS enclosure, can be used to deliver worms and worse to the desktops. If there are any vulnerabilities in iPod (or any MP3 player hooked up to podcast sync client) codec, then podcasting is a good way to deliver overflow inducing content."

"If you subscribe to 1000 feeds, you are hanging on a chain with 1000 links. Each of those 1000 links (feeds) are potential targets for hackers to attack to gain control over its content. All they need is one vulnerable feed hosting server to change what is delivered to your desktop. If you are using an insecure news client that pools news items from multiple sources, a hacker in control of Ponzi's Schemes feed (hi Ponzi ) will be able to send out posts that looks as if they came from the American Express feed."

eWeek.com:

"Once weaknesses are identified, Pescatore believes the phishers will pounce and try to lure users to visit fake sites to steal confidential information. This type of threat is especially apparent on RSS search engines that pull results from multiple Web sites and present those as an RSS feed."

"Because Microsoft is embracing the use of enclosures to deliver attachments in RSS feeds, there is also a risk that rigged media files and other attachment types can find their way on a user's desktop."

"A Microsoft spokeswoman said the Longhorn developers working on RSS integration will use the mandatory SDL (Security Development Lifecycle) that outlines the cradle-to-grave procedures used for software creation at Microsoft."