Slightly more secure RSS-to-local-HTML

RSS aggregators which work by generating an HTML page which they save on the local machine, and then instruct the user’s browser to display that page, have a security problem: Internet Explorer loves HTML from the local machine too much. Pages loaded off your hard drive in IE run in what they call “an implicit zone” which “is treated with a high level of trust.” That means that bad things, like downloading unsigned ActiveX components, don’t happen based on what you have said you want for the various zones you control (Trusted Sites, Internet, Restricted Sites), they happen will ye, nil ye. And that means that aggregators written to behave that way have a special responsibility to remove absolutely everything that might be even remotely risky from the HTML they generate.

However, a bit farther down that page, there’s an interesting safety valve that’s been added to Windows XP Service Pack 2: not only does iexplore.exe run with a special “Local Machine Lockdown zone” where the most insane features aren’t wide open, it also adds a feature, intended to prevent security from flying out the window as soon as a user uses File/Save As..., which displays anything containing a comment like

<!-- saved from url=(0025)http://philringnalda.com/ -->

in the Internet zone. So to provide a little extra margin of safety, all an aggregator needs to do is throw a fake “saved from url=” comment into its generated HTML, and IE will display it in a zone where things are no more risky than they are for any web page. Sweet!

(This brief break from “why don’t you just download Firefox and make it your default browser?” brought to you by the thrill of seeing Redmond get something right.)

15 Comments

Comment by Michel Valdrighi #
2004-04-05 07:24:11

If I understand this correctly, even using Firefox as default browser wouldn’t protect you from content rendered by the IE component in aggregators that use it.

Such aggregators are numerous on Windows…

How long until we see new versions of these aggregators including ”protection from rogue feeds?” ;)

Comment by Phil Ringnalda #
2004-04-05 08:22:23

Yes, anymore most aggregators are embedding some browser control (IE, Safari Web Kit, Mozilla, probably in that order), which is a different problem: near as I could tell from that article, you can pretty much choose your security level when embedding IE, so as long as they understand what it’s saying better than I do, which I’m sure they probably mostly do, they’re fine. It’s just things like AmphetaDesk and Aggie (and possibly Radio Userland: I’m not sure what zone a local webserver is in) that haven’t had any way to get around being in the Local Machine zone.

Bah. Once I saw that on the screen, I realized it’s been so long since I used either Aggie or Amphetadesk that I no longer remember whether they open a file on disk, or run a local webserver. Maybe this doesn’t actually do anyone any good.

 
 
Comment by Luke Hutteman #
2004-04-05 09:09:24

very interesting – so now all I need is some API call to figure out if a user has XP SP2 installed and if they do, no html-tag filtering will be necessary.

thanks for the info!

Comment by Phil Ringnalda #
2004-04-05 10:19:01

Would you, do you? I got the impression (without really understanding what I was reading) that you already can set up a customized security zone which can be even more extreme than the user’s own Restricted Sites zone, so they can’t ever blame anything on you – you’ll be safer than using their browser to read directly (except CSS, which can’t reach out of its single pane in SharpReader anyway). Hard to be sure, for a non-Windows-programmer, but that part didn’t sound like ”new in XP SP2.”

Comment by Luke Hutteman #
2004-04-05 12:20:37

hmm – those custom security zones may indeed be worth checking into as well. Would’ve been nice if .NET had native support for this stuff instead of having to hack into the ol’ windows API’s, but so be it…

regarding the CSS, I’m starting to wonder why I ever decided to strip that in the first place – as you said, it cannot reach out of the single pane anyway…

Comment by Phil Ringnalda #
2004-04-05 13:46:32

Why are you stripping CSS? Probably because we haven’t told the security story very well.

There may well be CSS vulnerabilities in IE (I just saw a crash-with-CSS this morning), maybe even ones where you need to be careful about what security zone you are running in, but as long as you are in the Internet or Restricted Sites zone (or the custom equivalent), then all you have to worry about is Platypuses trying to get outside their own entries. But so far, the story we’ve told is ”CSS bad, object bad (is there actually anyone running in a way that they are in the Local Machine or Trusted Sites zone? I’m not sure anymore), javascript bad” with no shading or ”if you have multiple entries in the same document, or include descriptions with HTML in a sidebar of your own blog” to color it. I’m trying to work on improving that, but only at my own glacial pace.

Take the object problem: I need an assortment of objects that shouldn’t be loaded, and ones that should prompt, and whatever other combinations there might be, and I need an assortment of aggregators, running on OSes that I have and ones I don’t have, and then I need to make feeds that try to load the objects, with perfectly safe content as the object element content (because it isn’t just a matter of ”strip everything from <object to /object>” but a matter of ”strip the outer tags, and recurse through your tag stripper until you either get to something safe, or run out of content”) and test everything and start evangelizing some people to be more safe, and other people to be less paranoid.

Comment by Luke Hutteman #
2004-04-05 22:27:26

Why am I stripping CSS? because I blindly took Mark’s advice.

While Mark’s a smart cookie and typically right on these kinds of things, blindly taking anyone’s advice is usually not a good idea.

In this particular case, from what I can tell running CSS is harmless in an aggregator that only shows one post at a time – even if that post is shown in a non-restricted zone (unless there are some security-related IE CSS bugs I’m not aware of)

Comment by Phil Ringnalda #
2004-04-05 22:35:15

background-image:url(javascript:document.write('<object...');)

That’s just a toss-off, might not work just like that, and I don’t remember if that particular form of javascript injection was patched or not, but I wouldn’t gamble on every single method being patched, if I knew I wasn’t in a safe-for-javascript, safe-for-objects zone.

Comment by Luke Hutteman #
2004-04-05 22:59:05

I’d heard of embedding javascript in CSS, but always thought that was a Mozilla CSS trick that didn’t work in IE. A quick google search proved me wrong.

Guess I better figure out the zone thing first…

 
Comment by Mark #
2004-04-15 19:33:59

That is just insanely devious. Here’s the RSS version. FeedDemon is vulnerable. Amphetadesk is vulnerable. SharpReader is not. RSS Bandit is not. Bloglines is not. Have not tested Radio.

Comment by Phil Ringnalda #
2004-04-15 20:10:58

It’s pretty, isn’t it? I may not have figured out how to do The Devil’s Feed I promised, but I haven’t stopped thinking about things to put in it.

 
Comment by Phil Ringnalda #
2004-04-17 19:37:12

If you liked that one, you’re going to love this one to death:

<p style="height: expression(alert('gotcha'))">

Do not load that up in IE and click anywhere in the displayed web page unless you are willing to use the three-finger salute to close your browser. That’s the exploit basically as I first saw it, and when I first ran it I just clicked OK in the alert (twice) and closed the window. But doing a bit more testing I found that just clicking anywhere in the window after getting rid of the first pair of alerts starts up a looping reflow that causes continual alerting, and since alerts are modal dialogs, you can’t do anything else except kill the process. Bwahahahaha!

Shame, Bloglines isn’t vulnerable, so I can’t take 448 to people’s subscriptions there. IE is vulnerable, Firefox and Opera (at least the versions I have installed) aren’t.

(For those of you following along at home: alerts, even ones that hang your browser, aren’t any big deal. However, rather than an alert, it could be script that writes a tag (like an evil <object>) which would have otherwise been stripped by your aggregator, or it could be XSS, in the case of aggregators that you install on your server and log in with a password stored in a cookie – there are lots of easy ways for Javascript running in a page from your server to pass your cookie for your server to my server.)

 
 
 
 
 
 
 
Comment by Phil Ringnalda #
2004-04-05 10:24:41

By the way, do you happen to know where I can get ahold of a clearly-unsafe, unsigned, obviously naughty ActiveX control for testing purposes? My only exposure to them has been setting IE to always tell me to say no, so I don’t really know much about them, not even how they are created or what they can do unsafely.

Comment by Luke Hutteman #
2004-04-05 12:25:17

The ActiveX control is called ”WebBrowser” and it comes with IE so should already be on your system.

Comment by Phil Ringnalda #
2004-04-05 12:28:35

Bwahahahaha.

I’m guessing that IE doesn’t complain if you try to load that unsafe control, though, no matter what the security settings.

 
 
 
 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <del datetime="" cite=""> <dd> <dl> <dt> <em> <i> <ins datetime="" cite=""> <kbd> <li> <ol> <p> <pre> <q cite=""> <samp> <strong> <sub> <sup> <ul> in your comment.