Securing feed enclosures



Greetings,

I am one of the developers on the RSS team, and to complement Sean’s and Walter’s recent postings on feed security, I would like to talk about one topic that didn’t get as much attention in recent discussions on feed security as perhaps it should have – feed enclosures. Enclosures are files “attached” to feed items, commonly used in podcasting and often automatically downloaded to user’s machine by aggregators.

In IE7 and the Windows RSS Platform, we have taken a number of precautions to protect users and developers against feeds which may attempt to use enclosures in malicious ways.

To begin with, when a user subscribes to a feed in IE7 enclosure downloads are turned off by default. Users can easily opt-in to enclosure downloads via the feed properties.

We also treat enclosures as inherently un-trusted files – in many ways similar to email attachments. We decided not to permit directly-executable (i.e. any file that would execute arbitrary code when double-clicked) or other dangerous files to be downloaded as feed enclosures (there are no common scenarios that require this today, and if it is absolutely necessary, it is possible to wrap an executable file in another format, so that it is no longer directly executable). For this we use the most flexible mechanism possible, the Attachment Execution Service (AES). In simple terms, the AES maintains a list of file extensions that are considered dangerous, including the directly-executable file types, which the RSS platform consults to decide whether or not to block a file.

Besides blocking the dangerous file types, AES also has a mechanism which allows security programs, such as anti-virus or anti-spyware, to integrate with it, allowing them to inspect files before we make them available to developers or users. Windows Defender has implemented this integration, so on Windows Vista (or if the user has installed Windows Defender on Windows XP), the user will gain that additional level of protection from the malicious files.

IE also has a mechanism to block file downloads on a per-zone basis, so before fetching the enclosure we also verify that downloads are allowed for the URL. You can find this per-zone setting in your Internet Options, under Security tab. The simplest way to prevent enclosure downloads from a site is to add it to the Restricted Zone, where downloads are disabled by default.

If an enclosure download does get blocked for security reasons, this is reported in the feed view as well as through the RSS platform’s LastDownloadError property.

Downloaded enclosures are stored in a subfolder of the Temporary Internet Files folder. The full path to the enclosures is different on every machine, preventing malicious feeds or other malicious code from using enclosure downloads as a vector to get known files on the system, as well as ensuring that other applications don’t unknowingly access enclosure files. If an application wants access to the downloaded enclosures it needs to obtain the path from the RSS platform.

To summarize: enclosures are treated as un-trusted files, and the following security mitigations are used:


  • Enclosure download is off by-default for all feeds.
  • Directly-executable files are blocked from being downloaded, using the Windows Attachment Execution Service (AES).
  • Anti-virus and Anti-spyware applications (like Windows Defender) can integrate with AES to dynamically block malicious files.
  • Files are stored in a variable location on each PC, ensuring that applications must opt-in to consuming the enclosures.

As before, we want to make sure all aggregator developers know that the tools we are using to make IE and the RSS platform more secure are available for their use as well:


Once again, we would like to reiterate our commitment to working with the community to improve feed security, and as always we are open for your feedback and questions.

Thank you,

Miladin


Update 9/25/2006: Added a summary paragraph for clarity

Comments (24)

  1. Christian says:

    Oh great!

    Does this mean that enclosures are threated like trash? No roaming, automatic deletion when I delete temporary internet files?

    I personally want my feeds and the content to stay for as long as possible. I would like to KEEP the podcasts and not to loose them when roaming to another computer

  2. rss says:

    Enclosures are not deleted with the rest internet cache when the cache is cleared.

    Enclosures are only removed with the item that they are associated with is removed (by default, 200 items are kept for a feed — this number can be changed).

    Their presence under the TIF is just another level of defense. It is an area that is treated specially by the OS — files in that folder are automatically assumed to be "from the Internet" and therefore untrusted.

    It does mean, however, that they won’t roam automatically.

  3. Christopher says:

    In RC1 .mp3 enclosures downloaded no problem but in RC2 they don’t and I get the text "(Download error – Blocked file type)" instead.

    For such a common senario, this should not be the case, is there a security setting that was changed that I can’t find?

  4. Sean says:

    Can you contact us at teamrss@microsoft.com, so we can follow up for some more detail?

  5. Alessandro says:

    I have exactly the same problem of Christopher but with IE7.0. Has a remedy been found?

  6. Andreas says:

    We found an issue with IE 7 and the news feeds database on roaming profiles.

    On roaming profiles the news feeds are stored under directory %userprofile%Local SettingsApplication DataMicrosoftFeeds Cache and this directory is by design not roaming – so every rss feed gets lost if a user log off and log on again.

    Is there any possibility to change the feeds db location, to an persisten path?

    Thanks in advance,

    Andreas

  7. Niraj says:

    Hi Sean ..

    Can i know how do i create a feed for more than 100 items in a single feed ..

    Thanks in advance..

    Regards,

    Niraj

  8. program says:

    Very good . You are doing a great job.

  9. Is there a windows defender emulation that runs under XP?                          

  10. parkiety says:

    Thank you for the good work – I read this blog willingly

  11. Nice to see so good informations. Very good blog.

  12. felgi says:

    Great Article, good to read something interesting! I’m expecing more!

  13. Rules says:

    Is there any possibility to change the feeds db location, to an persisten path?

  14. Boszkowo says:

    Very good . You are doing a great job.

  15. I think about use RSS in my website : <code><a href="http://www.wakacyjny.pl&quot; title="tanie noclegi">Wakacje nad morzem</a></code> but I don’t know how !. Where can I find information about it ?

  16. Very interesting article, good and simple to read… I’m expecing more articles like this.

    Regars,

    ZuRu

  17. Great article. It`s realy worth reading. I wish you further successes

  18. bet365 says:

    removed with the item that they are associated with is removed (by default, 200 items are kept for a feed — this number can be changed).

  19. parkiety says:

    Always have a well-configure each program. thank you for your help

  20. ChaosFreak says:

    How can I make mp3 enclosures in podcasts available to Windows Media Player?

  21. Great Article, good to read something interesting! I’m expecing more!

    By the way,

    Is there a windows defender emulation that runs under XP?        

    Thanks!                  

  22. Ryan says:

    ChaosFreak,

    I just added the 'Temporary Internet FilesEnclosure{uuid}' folder for a feed to my Win7 music library.  They show up in WMP, but WMP can't get any info (like length) for the files.  If I manually move the file to my music folder, they work just fine in WMP.

    I really wish you could specify a download location for a feed. Assinine that you cannot.

  23. alamct says:

    Great article. Thanks for writing .

Skip to main content