Content

Beware the gadget bug

I fell asleep early last night, so I woke up this morning mindful of a shaky Mets bullpen and eager to check last night’s scores - and I immediately thought, “Why is my computer restarted?”

I forgot yesterday was Patch Tuesday, believe it or not.

One thing that jumped out immediately about yesterday’s distribution was the release of MS07-048, a patch for numerous gadget flaws, including a vulnerability in RSS feeds.

In a day and age when everyone’s blog offers RSS feed subscriptions, the potential for foul play with such a flaw seems enormous.

Microsoft’s take: “If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contact Gadget or a user clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system.”

So I wasn’t the only one who thought this flaw could get a little hairy.

“This vulnerability has the potential to have significant impact to the enterprise because RSS tools are rapidly proliferating as a real-time communications tool,” said Tyler Reguly, nCircle researcher.

“RSS feeds have the potential to become the next big vector for worms and bots because [they] exploit an existing trust relationship. People place implicit trust in the security of the information source when they use RSS feeds,” said Sheldon Malm, also an nCircle researcher.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.