In my previous post I wrote about FeedDemon’s security features, the most important of which is the fact that FeedDemon’s newspapers operate in Internet Explorer’s “Internet Zone” instead of the less secure local zone. This means that even if someone finds a way to trick FeedDemon into running script, it can’t access the local zone (so it can’t touch your hard drive, for example).
It’s a good thing that FeedDemon has this feature, because while I was on vacation, Sam Ruby and James Snell talked about ways to get feed readers to run script – some of which FeedDemon is vulnerable to.
I also want to add that every feed reader I tried is vulnerable to the same exploits, but I realize that’s no excuse for my own code and it’s small relief to FeedDemon users.
I’ve spent the past week fixing these flaws, and James Snell has kindly tested a private FeedDemon build and found that every vulnerability has been addressed. We plan to release this new build (v220.127.116.11) as soon as we’ve completed testing it (which may take a few days).
In the future I plan to write about how the specific vulnerabilities were resolved, but I don’t want to do that until I’m sure that other feed readers have patched them. In the meantime, if you’re the known author of a feed reader and would like details on the solutions, please feel free to contact me – I’d be happy to share the logic behind the fixes.
As a side note, I’d like to thank those who let us know about the problems before making them public. This was a responsible way to get the vulnerabilities fixed without putting customers at risk, and we appreciate it.