I forgot yesterday was Patch Tuesday, believe it or not.
One thing that jumped out immediately about yesterday’s distribution was the release of MS07-048, a patch for numerous gadget flaws, including a vulnerability in RSS feeds.
In a day and age when everyone’s blog offers RSS feed subscriptions, the potential for foul play with such a flaw seems enormous.
Microsoft’s take: “If a user subscribed to a malicious RSS feed in the Feed Headlines Gadget or added a malicious contacts file in the Contact Gadget or a user clicked on a malicious link in the Weather Gadget, an attacker could potentially run code on the system.”
So I wasn’t the only one who thought this flaw could get a little hairy.
“This vulnerability has the potential to have significant impact to the enterprise because RSS tools are rapidly proliferating as a real-time communications tool,” said Tyler Reguly, nCircle researcher.
“RSS feeds have the potential to become the next big vector for worms and bots because [they] exploit an existing trust relationship. People place implicit trust in the security of the information source when they use RSS feeds,” said Sheldon Malm, also an nCircle researcher.