Shortly after the SPI Dynamics presentation that sparked a renewed discussion on feed security in the community last month, James Snell developed a suite of tests (based on an earlier set by James Holderness), and generously made them available quietly to aggregator developers. He has now made the tests public.
I contacted James last month (via email as he requested) and he pointed me to the test suite, so we could test them against our own security mitigations. We have done full test passes using his test suite.
The result: IE7 passed all of the tests (which means that no script from the feeds executed successfully in IE, and that developers using the RSS platform would not have been vulnerable to the class of attacks in the tests). This confirms SPI Dynamic's findings that IE7 was not vulnerable to the attacks described in their paper.
I thought it might be useful to use this opportunity to talk about our commitment to security, the defense-in-depth strategy that we have taken, and how other aggregator developers might benefit from the work we have done.
Our commitment to security
To put it bluntly, we are keenly aware that IE is a target for security researchers and hackers. We know we cannot afford to be lax in how we approach security. It has therefore been our #1 guiding principle that we would aim for a secure experience first -- sacrificing functionality, if necessary, to achieve it.
Long-time readers may remember this post from last November, in which we announced that we would only support well-formed XML in feeds -- the post was the direct result of a long internal discussion about ways to securely handle malicious feeds. Refusing to handle malformed XML eliminates a large class of potential attacks.
Walter posted last month on the details of how IE7 and the Windows RSS Platform protect users and developers from script in feeds. To summarize what he wrote, IE7 employs a (roughly) two-level defense-in-depth strategy:
Each of the two defense-in-depth steps described above require a significant amount of code and investment, but security has been always important enough to us that they where the first major pieces of development that we did when we began implementing the RSS features. In fact, these security features have been in place since the first public release of the IE7 RSS platform features last February.
To give you a sense of what is involved -- at one point in development, the sanitization code accounted for fully one-third of all the code in the RSS platform. The code takes lessons from similar libraries used for years to clean the billions of messages that Hotmail receives, and used for a number of releases in various parts of Office. It includes a number of feed-specific additions (for example, if an element is supposed to only contain text, then we can remove all HTML, not just the script). We validate and sanitize every documented element in each format we support, as well as a set of common RSS extensions. This is all done before an item is ever stored on the system.
The bottom line is that IE takes security very seriously. We have invested a great deal of time in hardening IE7 across the board, and nowhere more seriously than in our RSS features. It is an ongoing process, however, and we deeply appreciate the efforts of those in the community who have developed additional security tests and allowed us to use them.
We also look forward to continuing to work with the community to improve the security of all aggregators. To that end, we want to make a couple offers to developers of Windows aggregator developers:
Thanks for reading,Sean
PS. Of course, there will be some readers who see this post as a challenge and start looking for exploits in IE's RSS features. If you do find any, please let us know! :) We know that no security is perfect, and that it is an on-going process.