Feed Security and FeedDemon

Looks like the RSS world is abuzz with talk about feed security due to SPI Dynamics’ presentation at Black Hat USA 2006.

SPI Dynamics contacted us several weeks ago about potential vulnerabilities in FeedDemon, and I’d like to thank them for notifying us prior to their presentation. I spent quite a bit of time testing FeedDemon to make sure it wasn’t vulnerable to any of the exploits they reported, and thankfully the only vulnerability I discovered was a minor one: specifically, a JavaScript alert embedded in a feed’s title element could be displayed by FeedDemon in certain situations. This bug was fixed the same day it was discovered.

FeedDemon is not vulnerable to any of the more serious exploits they reported – so you can imagine my surprise at seeing news reports which listed FeedDemon among the vulnerable RSS readers. Because of this, I’d like to take a few minutes to go over some of FeedDemon’s security features.

I’ve written about feed security a few times, and it’s something I’ve been concerned about since 2003, when Mark Pilgrim’s platypus prank illustrated the dangers of republishing HTML from multiple sources. Because of this, I designed FeedDemon to strip script blocks and script events from feed content, along with potentially harmful HTML elements such as:

  • embed
  • object
  • frame and frameset
  • iframe
  • meta
  • link
  • bgsound
  • marquis
  • body
  • style

This provides an initial layer of protection, but FeedDemon goes a step further. As SPI Dynamics pointed out in their presentation, RSS readers which embed Internet Explorer run the risk of permitting script to operate in the local machine zone, which means that the script is treated with a high level of trust – including the ability to access the local hard drive. However, FeedDemon is not vulnerable to this security flaw. FeedDemon makes use of IE’s local machine zone lockdown, which forces local content to operate in the more secure Internet Zone. So even if a malicious feed creator somehow finds a way to trick FeedDemon into executing script, that script won’t be able to do anything harmful.

PS: Apologies for not enabling comments for this post, but I’ll be away from my computer this week and can’t risk the comment spam.