RSS Secure by Design


One of the reasons we went to Blackhat last month was to show how the Security Development Lifecycle (SDL) has changed the way that Microsoft builds products. I talked about how we’re reducing attack surface with features like ActiveX opt-in, improving code quality and building-in Defense in Depth with Protected Mode.  I didn’t get a chance to cover the new RSS feed support but I think the RSS team’s work is a great example for anyone building a new client to handle RSS feeds and a case study in how much Microsoft has changed product development.

The RSS team put a set of security principles in place before they set out to build their feature, they meticulously modeled the way that data would flow through their components and their developers were determined to build the feature to spec. Designing security upfront has helped the RSS team keep the same basic architecture in place since day-1 and pass security test suites with flying colors so far. I would never expect a feature to be “bulletproof” but I credit the RSS team with applying tough security principles and state-of-the-art tools to get this far.

If you handle feeds, as a developer or just as user, take a look at Sean’s latest post for more on what they did.

Rob Franco
Lead Program Manager

edit: adding security category tag

Comments (16)

  1. JJMartin says:

    I am all for the renewed focus on security.  My big problem with the way its implemented is that it results in annoying behaviors that, while safe, are annoying and not well explained.  When something (like Automatic Downloading) is explicitly prevented in the name of security, I would like to see products provide some sort of passive notification with a link to what it was, what the risks are and a way to turn it off if you deem the risks are worth the feature.

  2. @JJMartin, I agree that security features should be transparent. Walter from the RSS team tells me that they are considering better notifications like this for the next version of the RSS reader.

  3. Ron says:

    Please don’t say "by design", it scares me…

  4. I need to give a private URL to someone at Microsoft in regards to some very major bugs that I can not post publicly. I can not post this link clientside nor post it in a public report unfortunately. Who should I contact and where can I find their email address? I do not post my email address clientside but I have a form at…

    http://www.jabcreations.com/home/home-contact.php

    In regards to the RSS feature in IE7 I like how (unlike Firefox) it retains the RSS’s title. However it would be better to allow a subscribe option without having to actually view the XML file to simplify things.

  5. Tim says:

    @Ron

    You are so right on.. Every bug I read in the feedback site, that gets closed because the developers don’t want to fix it, is closed "by design".  I find it quite scary, that because something was designed incorrectly, and fixing it would involve effort, that qualifiying it as a "by design" item, somehow cures it of being a bug.

    I also think the title is a bit arrogant.. maybe time will prove me wrong, but web based security hasn’t been MS’s forte.

  6. Meanie says:

    What do you want, a gold star?  Yay, you actually thought about security and specs this time!  Good job on doing your job!

    Whoopdee-frickin-doo.

  7. Aedrin says:

    I’m beginning to think that this blogs should have commenting disabled. 90% of the comments are the usual useless and non constructive comments by Firefox/Linux fanboys that are bored.

  8. Netherbound says:

    Too bad, I can not get your reader to work with over half of my feeds.

    I get the lovely error listed below.

    "Internet Explorer does not support feeds with DTDs."

    So what’s the point of a feed reader that can’t read feeds?

  9. I have been contacted by two people already at Microsoft (thanks to both of them).  The bug no longer occurs in newer builds (thankfully) then that are publicly available. Sounds good but I’m now a little anxious for a newer build. ;-)  Thanks for your time!

  10. Fduch says:

    @Aedrin

    The amount of your comments can be coparable to Firefox comments nowadays… :-)

  11. Fduch says:

    I wonder why they couldn’t make major websites able work without IE hacks. It’s a logical first step.

    For example look at http://en.wikipedia.org/skins-1.5/monobook/IE70Fixes.css?1

    /* 7.0 – only fixes */

    /* content area */

    /* workaround for various ie float bugs */

    /* This bit is needed to make links clickable… WTF */

    #column-content #content {

    margin-left: 12.2em;

    margin-top: 3em;

    height: 1%;

    }

    .rtl #column-one {

    /* For some reason it tries to inherit the padding-top into every div,

    * and I can’t figure out how to get it back off.

    */

    padding-top: 0;

    }

    #footer li {

    /* Work around bug with inline <li> tags with right margins and nowrap */

    margin-right: 0;

    }

    ………………..

    I liked comment about clickable links.

  12. EricLaw [MSFT] says:

    Looking at the Wikipedia site, it seems to work correctly even when you zero out the IE70Fixes.css file.  

    Perhaps these were needed only for earlier betas?

    Not that this has anything to do with RSS… :-)

  13. Fduch says:

    @Eric

    Of course it doesn’t have anything to do with RSS.

    BUT

    Was there any blog post about memory/resources leaks?

    ABOUT COLOR DEGRADATION TO 16bit WHEN TAB IS NOT FOCUSED FOR SOME TIME?

    If there was, I’d comment there. Maybe.

    Remember the old days whem 2 worst problems were not working Back/Forward buttons and being not able to change language? Were there posts about these most reporeted bugs?

  14. Sagi Arsyad says:

    about RSS.

    it would be nice if the next version of IE7 having small window alert when new feed arrived

    just like RSS Bandit or Opera