Author Archive

Earlier this year at Mix06, Greg Reinacker and I did a talk on the RSS platform, during which he demo'd tool to synchronize the RSS platform state with NewsGator Online.

Yesterday, Nick Harris announced that the sync app, now known by the name of "NewsGator Desktop Sync" has gone into beta, and is available for everyone to download.

From Nick's post:

Desktop Sync is a system tray application that keeps your feeds, folders and read states synchronized between NewsGator Online and the Windows RSS Platform.  This means that any application that uses the Windows RSS Platform will be automatically synchronized with your NewsGator Online account!

Check out Nick's post for information on where to download and where to give feedback (you'll need IE7 RC1 or Windows Vista RC1, and a free NewsGator Online account  for it to work).

I just want to also use this opportunity to thank Nick, Greg and the others at NewsGator for their great feedback on the RSS platform. It has been great working with them.

- Walter vonKoch

Greetings,

I am one of the developers on the RSS team, and to complement Sean’s and Walter’s recent postings on feed security, I would like to talk about one topic that didn’t get as much attention in recent discussions on feed security as perhaps it should have - feed enclosures. Enclosures are files “attached” to feed items, commonly used in podcasting and often automatically downloaded to user’s machine by aggregators.

In IE7 and the Windows RSS Platform, we have taken a number of precautions to protect users and developers against feeds which may attempt to use enclosures in malicious ways.

To begin with, when a user subscribes to a feed in IE7 enclosure downloads are turned off by default. Users can easily opt-in to enclosure downloads via the feed properties.

We also treat enclosures as inherently un-trusted files – in many ways similar to email attachments. We decided not to permit directly-executable (i.e. any file that would execute arbitrary code when double-clicked) or other dangerous files to be downloaded as feed enclosures (there are no common scenarios that require this today, and if it is absolutely necessary, it is possible to wrap an executable file in another format, so that it is no longer directly executable). For this we use the most flexible mechanism possible, the Attachment Execution Service (AES). In simple terms, the AES maintains a list of file extensions that are considered dangerous, including the directly-executable file types, which the RSS platform consults to decide whether or not to block a file.

Besides blocking the dangerous file types, AES also has a mechanism which allows security programs, such as anti-virus or anti-spyware, to integrate with it, allowing them to inspect files before we make them available to developers or users. Windows Defender has implemented this integration, so on Windows Vista (or if the user has installed Windows Defender on Windows XP), the user will gain that additional level of protection from the malicious files.

IE also has a mechanism to block file downloads on a per-zone basis, so before fetching the enclosure we also verify that downloads are allowed for the URL. You can find this per-zone setting in your Internet Options, under Security tab. The simplest way to prevent enclosure downloads from a site is to add it to the Restricted Zone, where downloads are disabled by default.

If an enclosure download does get blocked for security reasons, this is reported in the feed view as well as through the RSS platform’s LastDownloadError property.

Downloaded enclosures are stored in a subfolder of the Temporary Internet Files folder. The full path to the enclosures is different on every machine, preventing malicious feeds or other malicious code from using enclosure downloads as a vector to get known files on the system, as well as ensuring that other applications don’t unknowingly access enclosure files. If an application wants access to the downloaded enclosures it needs to obtain the path from the RSS platform.

To summarize: enclosures are treated as un-trusted files, and the following security mitigations are used:

• Enclosure download is off by-default for all feeds.
• Directly-executable files are blocked from being downloaded, using the Windows Attachment Execution Service (AES).
• Anti-virus and Anti-spyware applications (like Windows Defender) can integrate with AES to dynamically block malicious files.
• Files are stored in a variable location on each PC, ensuring that applications must opt-in to consuming the enclosures.

As before, we want to make sure all aggregator developers know that the tools we are using to make IE and the RSS platform more secure are available for their use as well:

• AES can be utilized through the IAttachmentExecute interface.
• To determine if file downloads are allowed, applications can invoke the ProcessUrlAction method to query for URLACTION_SHELL_FILE_DOWNLOAD.

Once again, we would like to reiterate our commitment to working with the community to improve feed security, and as always we are open for your feedback and questions.

Thank you,

Miladin

Update 9/25/2006: Added a summary paragraph for clarity

Have you wanted to use the Windows RSS Platform from C++? Unlike managed code or script there is no simple way to create header files with the declaration of the IX.. interfaces which are designed for use from C++. Of course the msfeeds.h header file is included in the Windows SDK. If you are hardcore about Windows development you might already have it installed. However, not everyone wants to install the 1GB+ just to get the msfeeds.h header file.

Fear not, I've recently posted on my blog a MiniSDK which includes the required headers to use the RSS Platform from C++. I hope this will save you some time and effort.

-Walter vonKoch

What better way to spend a Friday afternoon (Redmond time, at least), than by filling out a quick 8 question survey on your RSS reading habits, hosted by the MSR Asia Center for Interactive Design?

Even if you don't take the survey, the results will be publicly available on Oct 20th (and there's even a results feed to which you can subscribe to get them when they are available).

Check out the post on the team's blog as well.

- Sean

One question we get asked occasionally is:

How do I back up my feed list?

Well, it turns out that there is a standard way to save a feed list in a single file for backup or other purposes. It's called OPML, and IE7 supports importing and exporting feed lists via OPML.

Here is the step-by-step process for backing up your feed list to an OPML file in IE7:

1. Click on the Add button (the star and plus button next to the Favorites Center button -- Alt-Z is the keyboard shortcut).
2. Click on Import and Export in the menu.
3. In the wizard, select Export Feeds from the list of options and click Next.
4. Select where you'd like the file to be put (by default, it's called feeds.opml, in your Documents folder)
5. Finish up the wizard.

The OPML file generated will contain your entire feedlist, including any folders you may have created. Simply repeat the process (selecting Import Feeds) to restore a feed list.

As I noted above, OPML is the standard way to save a feed list, and it's supported by pretty much every aggregator out there. You can use the steps above to save your feed list to use in another aggregator or to import a feed list created by another aggregator.

Since IE7 uses the RSS platform, you can also use this technique to import or export lists of feeds from and to any application that uses the RSS platform.

Oh, and by the way -- IE7 is coming this month.

Sean

The folks at Attensa make a slick RSS aggregator that integrates with Outlook and provides a River of News-style view with priortization based on what feeds you use the most.

Not too long ago, they released version 2.0 of the Attensa for Outlook product. Along with a ton of other great features, it includes synchronization with the Windows RSS Platform, so when you hit that RSS button in IE, the feed can automatically show up in Attensa -- which is great if you're using Attensa as your primary RSS reader.

This has been one of our guiding principles in IE7 -- you don't have to read your feeds in IE. By using the open APIs of the RSS platform, developers of innovative new RSS readers like Attensa can gain access to the orange button in IE7 that Steve Rubel loves.

Attensa works with Outlook 2000, Outlook XP and 2003 (Outlook 2007 support is in the works). If you're an Outlook user, you should definitely check it out. It's free -- so it's an easy choice if you're looking to try out something new.

- Sean

It's been a hectic week.

Between getting thrown in a fountain (that's my boss, Group Program Manager of IE, but almost everyone went in at some point), and being filmed for Channel 9 video (say hi to Arvind, Will and Cindy, about half of the RSS test team), I forgot to post a note here. But, I figured that most people had probably heard that IE7 for XP (including the Windows RSS Platform) shipped last Wednesday.

But, in case you haven't... Dean Hachamovitch (GM of IE) has a post over on the IEBlog that covers all of the goodness that's in IE7. There's some good information on how to give feedback and get support, and the plans for Automatic Update distribution of IE7.

Now that the week is over, I'm taking a minute to reflect. Building IE7's RSS features and the Windows RSS Platform have been a great ride all of us on the RSS team. More importantly, it is abundantly clear that we could not have done it without the feedback and comments from all of you (anyone remember the icon posts?).

So, on behalf of the whole team: thank you.

As Dean said in his post, we have already started work on plans for the next version of Internet Explorer (which includes, of course, plans for the next version of the IE RSS features and the Windows RSS platform). So, feel free to use the comments on this post to let us know what RSS features are on the top of your must-see list for the next release.

Thanks again,
Sean

As noted pretty much everywhere on the web, Windows Vista launched (for businesses) last week.

Windows Vista includes IE7 and the Windows RSS Platform, and is therefore the first Windows operating system to ship with built-in support for RSS (and the first OS of any kind to have RSS support built-in as a native platform component).

Windows Vista is, in fact, the fulfilment of a promise we made over a year ago at Gnomedex 5.0: Longhorn loves RSS.

In addition to the reading experience in IE7, and the platform features, Windows Vista also include the new Windows Sidebar, which ships with a Feed Headlines gadget.

The team that built the gadget have written up a great post on how the gadget was built, and how they leveraged the RSS platform to make development much easier for themselves.

Read their post here: Building the Feed Headlines Gadget.

In case you haven't seen the gadget in action, the screenshot below shows the gadget after the user has clicked on a headline (I've configured it to show the headlines from the MSNBC News feed).

Many thanks to the folks on the Sidebar team that developed such a great gadget, as well as to Chrix Finne, who interned on the IE RSS team as a PM this past summer, and helped out the Sidebar team with feature design for this gadget.

- Sean

 Note: Apologies to readers who downloaded an earlier version of this post, which used a photograph taken by Niall Kennedy and posted on flickr.com. He did not appreciate the usage, and replaced it with a different image. I forgot to include an attribution, which I had fully intended to do, but for which I apologise to him.

A while ago I posted details about the RSS Platform Download Engine. That post focused on downloading of feeds, but did not include additional details on enclosure downloads.

Enclosures are, as most readers know, files that are "attached" to items in an RSS feed. Typically, a publisher will include a reference to a binary file, which an RSS aggregator can optionally download when the feed content is downloaded. The most common example of enclosure use in RSS feeds is for podcasting, where the attached (or "enclosed") files are audio files.

As with feed download, we designed the enclosure download with server and client bandwidth in mind since feed as well as enclosure downloads also happen in the background. Their impact on foreground applications should be limited. Similarly, the impact of large enclosure downloads on servers should be limited.

Let me sketch how the enclosure download process works:

1. Every time the feed download engine runs it processes feeds that have the "Automatically Download Enclosures" setting set to true it. If it comes across a new item with an enclosure it adds the URL of the enclosure to a FIFO queue.
2. Before the enclosure is added to the queue, the URL is checked with Attachment Execution Service API (AES) to assure the enclosure file type is one of the permitted types. If it's not, the enclosure download is failed (IFeedEnclosure.LastDownloadError = FDE_DOWNLOAD_BLOCKED).
3. The first 4 enclosures in the queue are then handed off to the Background Intelligent Transfer Service (BITS). BITS is a background download service that ships in Windows and which enables downloading of files in the background while limiting its affects on network usage. In particular, BITS uses HTTP RANGE requests to download files in chunks. BITS also monitors whether foreground applications (like email or browser) are using the network, and if so, it throttles back its own network usage to limit its impact on those applications.
4. Once BITS completes downloading an enclosure, the Download Engine uses AES to save the enclosure to the folder corresponding to the feed. Saving via AES associates zone information with the file. The zone information is used when the file is launched at a later time.
5. If there are more enclosures waiting to be downloaded and there are less than 4 enclosure downloads active, the next enclosure is handed off to BITS as in step #3.
6. If, however, the server of the enclosure does not support HTTP RANGE requests, the Platform Download Engine falls back to downloading the enclosure via a regular HTTP GET request. If this attempt fails as well, then the enclosure download is fails and will not be attempted again automatically.

      

Note that the enclosure fall-back download (HTTP GET) is size limited to 15MB to limit the impact of denial of service (DoS) attacks against the RSS Platform Download Engine. Since the RSS Platform Download Engine runs in the background, a malicious server could consume all of the client's download bandwidth without the user having any idea. Enclosure download via BITS (HTTP RANGE requests) is less impacted by such an attack and is consequently not size limited.

In other words, if you are an enclosure publisher that wants to serve enclosures larger then 15MB to IE7 users, then you should use HTTP servers that support HTTP RANGE requests. Most popular web servers support HTTP RANGE requests.

It's also worth noting, that when a server does not support HTTP RANGE requests, the RSS Platform Download Engine will issue two requests for each file (the first testing for HTTP RANGE support, and the second to download the file without range support).

For more details on the security measures used to protect applications and users from potentially malicious enclosures, see Miladin's enclosure security post.

I hope that this description of the enclosure download process explains the "multiple-requests" that some publishers have seen, as well the security restrictions associated with enclosure downloads.

-Walter vonKoch

Program Manager

It's always fun when a story hits the blogosphere while you're stuck on a plane. :)

This will be short, because I'm connecting over a 14.4K modem line (I have the deepest sympathy for folks who still do this every day!), but I just want to say a few basic things about the RSS-related patent applications mentioned in the article and elsewhere.

First, these patents describe specific ways to improve the RSS end-user and developer experience (which we believe are valuable and innovative contributions) -- they do not constitute a claim that Microsoft invented RSS.

We have always fully acknowledged the innovators and supporters of RSS, like Dave Winer, Nick Bradbury and many others, and I can say, without hesitation, that I and my colleagues personally have the deepest respect for their invaluable contributions.

From the beginning we have sought an open and reasonable relationship with the RSS community. As one example, we have published various RSS and Atom extensions under a Creative Commons license. These specifications provide proof of our commitment to offer our contributions to the community and evidence of our efforts to advance the technology. We honestly hope that our work brings benefit to all feed publishers, developers and users, and we've been happy with the response we have received from the community so far.

Finally, as a number of commenters have noted, we are far from the only company to apply for patent protection in this space. Other companies, including Apple and Google, have apparently also applied for patents. Applying for a patent on your innovation is common industry practice, and one which, by incenting and protecting the companies and people involved, encourages everyone to contribute to the community.

I hope this helps put our position in perspective. I want to reiterate that my team and I are fully committed to RSS and feed syndication technologies in general and to the community. Please post any additional questions (I'm sure you didn't need an invitation :), and I'll get back to them in the new year.

Thanks,

Sean Lyndersay
Program Manager Lead, RSS