Jeff Barr's Blog

Things I Like..

IE and RSS, and RSS-Powered Attacks

Steve Gillmor at eWEEK says that IE’s failings were somehow responsible for the rise in the popularity of RSS. That’s an interesting theory, but I really don’t follow his logic. To confound things, he then goes on to review NewsGator and Pluck, RSS add-ins for Outlook and IE, respectively (disclaimer: both NewsGator and Pluck are current Syndic8 advertisers). Both of these are great tools, and equivalents have yet to surface for open sourced products. Let’s note that both of these are dependent on the fact that the respective host environments do have highly developed (yet definitely not flawless) extensibility models, and that the very models which provide the flexibility to host add-ins can also be exploited by the bad guys.

RSS is a focusing tool, bringing people the information they want in the topical areas that they care the most about. That it somehow helps people to break free of an unhealthy dependence on buggy and insecure Microsoft products is a positive side effect.

I do have to say that there are people trying to foster attacks using RSS, and sooner or later one of them will succeed. Given the fact that many desktop aggregation tools use the IE rendering engine (MSHTML, once known as Trident), it is almost inevitable that an exploit is going to show up sooner or later. Shifting the spotlight away from Microsoft, I should point out that web-based aggregators are theoretically susceptible to script-based attacks.

There’s another story here, about how Microsoft could have been a participant in the RSS world all the way back in 1999, but I will leave that for another day.