[
Lists Home |
Date Index |
Thread Index
]
What I came out of it with was:
- if people want to put executable code in rss and build clients
that execute it, they will.
- if they do they will have seroius security issues to deal with
- if the RSS community starts a process to specify the details of
executable content in such a way that it is safe to use, it should
be informed by the fact that this is inherently unsafe
Sub-points:
- it's not the messages that provide exploits, it's the recipient
- the message doesn't HAVE to be executable in order for there to be
client exploits, but it sure does help
- outlook sucks
--->Nathan
> -----Original Message-----
> From: Bullard, Claude L (Len) [mailto:len.bullard@intergraph.com]
> Sent: Friday, September 23, 2005 1:07 PM
> To: 'Ken North'; xml-dev@lists.xml.org
> Subject: RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?
>
> So overall, the original thread conclusion and Bill Kearney
> are right: RSS should resist scripted content regardless
> of market pressures?
>
> len
>
>
> From: Ken North [mailto:kennorth@sbcglobal.net]
>
> Robert Koberg wrote:
> > But isn't this more about server admins than possible problems with
> > script in content?
> >
> > How can their be problems if the script cannot be executed?
>
> Given that we've seen security threats related to
> non-executable content,
> you
> comment about server administration hits the nail on the head.
>
> 1. Vulnerabilities related to XML, DTD, XML-RPC and SOAP processing:
> http://www.webservicessummit.com/Vulnerabilities.htm
>
> 2. SQL injection vulnerabilities are epidemic.
>
> 3. MP3, WMA, AVI, PNG and JPEG have been exploited. The
> problem is often a
> buffer overrun that can be exploited by constructing a file
> to cause the
> overrun
> and allow malware to execute.
>
> There's a worm that exploited a vulnerability in some Windows
> apps that read
> JPEG images. One of the MP3 exploits uses an ID3 tag.
> There have been vulnerabilities in media players (Flash
> Player, RealPlayer,
> Windows Media Player, MPlayer).
>
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
>
> The list archives are at http://lists.xml.org/archives/xml-dev/
>
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://www.oasis-open.org/mlmanage/index.php>
>
|