xml-dev - RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?

RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?

[ Lists Home | Date Index | Thread Index ]

To: "Bullard, Claude L \(Len\)" <len.bullard@intergraph.com>, "Ken North" <kennorth@sbcglobal.net>, <xml-dev@lists.xml.org>
Subject: RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?
From: natyoung@cisco.com
Date: Fri, 23 Sep 2005 15:35:09 -0700
Thread-index: AcXAepnw77oNTyLgRdyDQtSz+dQtFgAAgZng
Thread-topic: [xml-dev] Wrapping Scripted Media in RSS: Secure?

What I came out of it with was:

 - if people want to put executable code in rss and build clients
   that execute it, they will.
 - if they do they will have seroius security issues to deal with
 - if the RSS community starts a process to specify the details of
   executable content in such a way that it is safe to use, it should
   be informed by the fact that this is inherently unsafe

Sub-points:

 - it's not the messages that provide exploits, it's the recipient
 - the message doesn't HAVE to be executable in order for there to be
   client exploits, but it sure does help
 - outlook sucks


--->Nathan

> -----Original Message-----
> From: Bullard, Claude L (Len) [mailto:len.bullard@intergraph.com] 
> Sent: Friday, September 23, 2005 1:07 PM
> To: 'Ken North'; xml-dev@lists.xml.org
> Subject: RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?
> 
> So overall, the original thread conclusion and Bill Kearney 
> are right:  RSS should resist scripted content regardless 
> of market pressures?
> 
> len
> 
> 
> From: Ken North [mailto:kennorth@sbcglobal.net]
> 
> Robert Koberg wrote:
> > But isn't this more about server admins than possible problems with
> > script in content?
> >
> > How can their be problems if the script cannot be executed?
> 
> Given that we've seen security threats related to 
> non-executable content,
> you
> comment about server administration hits the nail on the head.
> 
> 1. Vulnerabilities related to XML, DTD, XML-RPC and SOAP processing:
> http://www.webservicessummit.com/Vulnerabilities.htm
> 
> 2. SQL injection vulnerabilities are epidemic.
> 
> 3. MP3, WMA, AVI, PNG and JPEG have been exploited. The 
> problem is often a
> buffer overrun that can be exploited by constructing a file 
> to cause the
> overrun
> and allow malware to execute.
> 
> There's a worm that exploited a vulnerability in some Windows 
> apps that read
> JPEG images. One of the MP3 exploits uses an ID3 tag.
> There have been vulnerabilities in media players (Flash 
> Player, RealPlayer,
> Windows Media Player, MPlayer).
> 
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> 
> The list archives are at http://lists.xml.org/archives/xml-dev/
> 
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://www.oasis-open.org/mlmanage/index.php>
>

Prev by Date: RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?
Next by Date: Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?
Previous by thread: Re: [xml-dev] Wrapping Scripted Media in RSS: Secure?
Next by thread: RE: [xml-dev] Wrapping Scripted Media in RSS: Secure?
Index(es):
- Date
- Thread