Freigeben über


Securing feed enclosures

Greetings,

I am one of the developers on the RSS team, and to complement Sean’s and Walter’s recent postings on feed security, I would like to talk about one topic that didn’t get as much attention in recent discussions on feed security as perhaps it should have - feed enclosures. Enclosures are files “attached” to feed items, commonly used in podcasting and often automatically downloaded to user’s machine by aggregators.

In IE7 and the Windows RSS Platform, we have taken a number of precautions to protect users and developers against feeds which may attempt to use enclosures in malicious ways.

To begin with, when a user subscribes to a feed in IE7 enclosure downloads are turned off by default. Users can easily opt-in to enclosure downloads via the feed properties.

We also treat enclosures as inherently un-trusted files – in many ways similar to email attachments. We decided not to permit directly-executable (i.e. any file that would execute arbitrary code when double-clicked) or other dangerous files to be downloaded as feed enclosures (there are no common scenarios that require this today, and if it is absolutely necessary, it is possible to wrap an executable file in another format, so that it is no longer directly executable). For this we use the most flexible mechanism possible, the Attachment Execution Service (AES). In simple terms, the AES maintains a list of file extensions that are considered dangerous, including the directly-executable file types, which the RSS platform consults to decide whether or not to block a file.

Besides blocking the dangerous file types, AES also has a mechanism which allows security programs, such as anti-virus or anti-spyware, to integrate with it, allowing them to inspect files before we make them available to developers or users. Windows Defender has implemented this integration, so on Windows Vista (or if the user has installed Windows Defender on Windows XP), the user will gain that additional level of protection from the malicious files.

IE also has a mechanism to block file downloads on a per-zone basis, so before fetching the enclosure we also verify that downloads are allowed for the URL. You can find this per-zone setting in your Internet Options, under Security tab. The simplest way to prevent enclosure downloads from a site is to add it to the Restricted Zone, where downloads are disabled by default.

If an enclosure download does get blocked for security reasons, this is reported in the feed view as well as through the RSS platform’s LastDownloadError property.

Downloaded enclosures are stored in a subfolder of the Temporary Internet Files folder. The full path to the enclosures is different on every machine, preventing malicious feeds or other malicious code from using enclosure downloads as a vector to get known files on the system, as well as ensuring that other applications don’t unknowingly access enclosure files. If an application wants access to the downloaded enclosures it needs to obtain the path from the RSS platform.

To summarize: enclosures are treated as un-trusted files, and the following security mitigations are used:

  • Enclosure download is off by-default for all feeds.
  • Directly-executable files are blocked from being downloaded, using the Windows Attachment Execution Service (AES).
  • Anti-virus and Anti-spyware applications (like Windows Defender) can integrate with AES to dynamically block malicious files.
  • Files are stored in a variable location on each PC, ensuring that applications must opt-in to consuming the enclosures.

As before, we want to make sure all aggregator developers know that the tools we are using to make IE and the RSS platform more secure are available for their use as well:

Once again, we would like to reiterate our commitment to working with the community to improve feed security, and as always we are open for your feedback and questions.

Thank you,

Miladin

Update 9/25/2006: Added a summary paragraph for clarity

Comments

  • Anonymous
    September 21, 2006
    Oh great!

    Does this mean that enclosures are threated like trash? No roaming, automatic deletion when I delete temporary internet files?

    I personally want my feeds and the content to stay for as long as possible. I would like to KEEP the podcasts and not to loose them when roaming to another computer

  • Anonymous
    September 21, 2006
    Enclosures are not deleted with the rest internet cache when the cache is cleared.

    Enclosures are only removed with the item that they are associated with is removed (by default, 200 items are kept for a feed -- this number can be changed).

    Their presence under the TIF is just another level of defense. It is an area that is treated specially by the OS -- files in that folder are automatically assumed to be "from the Internet" and therefore untrusted.

    It does mean, however, that they won't roam automatically.

  • Anonymous
    October 14, 2006
    In RC1 .mp3 enclosures downloaded no problem but in RC2 they don't and I get the text "(Download error - Blocked file type)" instead. For such a common senario, this should not be the case, is there a security setting that was changed that I can't find?

  • Anonymous
    October 14, 2006
    Can you contact us at teamrss@microsoft.com, so we can follow up for some more detail?

  • Anonymous
    December 26, 2006
    I have exactly the same problem of Christopher but with IE7.0. Has a remedy been found?

  • Anonymous
    March 21, 2007
    We found an issue with IE 7 and the news feeds database on roaming profiles. On roaming profiles the news feeds are stored under directory %userprofile%Local SettingsApplication DataMicrosoftFeeds Cache and this directory is by design not roaming - so every rss feed gets lost if a user log off and log on again. Is there any possibility to change the feeds db location, to an persisten path? Thanks in advance, Andreas

  • Anonymous
    July 08, 2007
    The comment has been removed

  • Anonymous
    July 19, 2007
    Hi Sean .. Can i know how do i create a feed for more than 100 items in a single feed .. Thanks in advance.. Regards, Niraj

  • Anonymous
    August 19, 2007
    Very good . You are doing a great job.

  • Anonymous
    March 19, 2008
    Is there a windows defender emulation that runs under XP?                          

  • Anonymous
    April 18, 2008
    Thank you for the good work - I read this blog willingly

  • Anonymous
    April 27, 2008
    Nice to see so good informations. Very good blog.

  • Anonymous
    May 31, 2008
    Great Article, good to read something interesting! I'm expecing more!

  • Anonymous
    June 05, 2008
    Is there any possibility to change the feeds db location, to an persisten path?

  • Anonymous
    June 08, 2008
    Very good . You are doing a great job.

  • Anonymous
    June 22, 2008
    The comment has been removed

  • Anonymous
    June 26, 2008
    Very interesting article, good and simple to read... I'm expecing more articles like this. Regars, ZuRu

  • Anonymous
    June 29, 2008
    Great article. It`s realy worth reading. I wish you further successes

  • Anonymous
    September 13, 2008
    removed with the item that they are associated with is removed (by default, 200 items are kept for a feed -- this number can be changed).

  • Anonymous
    November 23, 2008
    Always have a well-configure each program. thank you for your help

  • Anonymous
    January 12, 2009
    How can I make mp3 enclosures in podcasts available to Windows Media Player?

  • Anonymous
    August 11, 2009
    Great Article, good to read something interesting! I'm expecing more! By the way, Is there a windows defender emulation that runs under XP?         Thanks!                  

  • Anonymous
    July 08, 2011
    ChaosFreak, I just added the 'Temporary Internet FilesEnclosure{uuid}' folder for a feed to my Win7 music library.  They show up in WMP, but WMP can't get any info (like length) for the files.  If I manually move the file to my music folder, they work just fine in WMP. I really wish you could specify a download location for a feed. Assinine that you cannot.

  • Anonymous
    September 26, 2014
    Great article. Thanks for writing .