FeedDemon is not vulnerable to any of the more serious exploits they reported – so you can imagine my surprise at seeing news reports which listed FeedDemon among the vulnerable RSS readers. Because of this, I’d like to take a few minutes to go over some of FeedDemon’s security features.
I’ve written about feed security a few times, and it’s something I’ve been concerned about since 2003, when Mark Pilgrim’s platypus prank illustrated the dangers of republishing HTML from multiple sources. Because of this, I designed FeedDemon to strip script blocks and script events from feed content, along with potentially harmful HTML elements such as:
This provides an initial layer of protection, but FeedDemon goes a step further. As SPI Dynamics pointed out in their presentation, RSS readers which embed Internet Explorer run the risk of permitting script to operate in the local machine zone, which means that the script is treated with a high level of trust – including the ability to access the local hard drive. However, FeedDemon is not vulnerable to this security flaw. FeedDemon makes use of IE’s local machine zone lockdown, which forces local content to operate in the more secure Internet Zone. So even if a malicious feed creator somehow finds a way to trick FeedDemon into executing script, that script won’t be able to do anything harmful.
PS: Apologies for not enabling comments for this post, but I’ll be away from my computer this week and can’t risk the comment spam.