Archive for September, 2006

What better way to spend a Friday afternoon (Redmond time, at least), than by filling out a quick 8 question survey on your RSS reading habits, hosted by the MSR Asia Center for Interactive Design?

Even if you don't take the survey, the results will be publicly available on Oct 20th (and there's even a results feed to which you can subscribe to get them when they are available).

Check out the post on the team's blog as well.

- Sean

Have you wanted to use the Windows RSS Platform from C++? Unlike managed code or script there is no simple way to create header files with the declaration of the IX.. interfaces which are designed for use from C++. Of course the msfeeds.h header file is included in the Windows SDK. If you are hardcore about Windows development you might already have it installed. However, not everyone wants to install the 1GB+ just to get the msfeeds.h header file.

Fear not, I've recently posted on my blog a MiniSDK which includes the required headers to use the RSS Platform from C++. I hope this will save you some time and effort.

-Walter vonKoch

Greetings,

I am one of the developers on the RSS team, and to complement Sean’s and Walter’s recent postings on feed security, I would like to talk about one topic that didn’t get as much attention in recent discussions on feed security as perhaps it should have - feed enclosures. Enclosures are files “attached” to feed items, commonly used in podcasting and often automatically downloaded to user’s machine by aggregators.

In IE7 and the Windows RSS Platform, we have taken a number of precautions to protect users and developers against feeds which may attempt to use enclosures in malicious ways.

To begin with, when a user subscribes to a feed in IE7 enclosure downloads are turned off by default. Users can easily opt-in to enclosure downloads via the feed properties.

We also treat enclosures as inherently un-trusted files – in many ways similar to email attachments. We decided not to permit directly-executable (i.e. any file that would execute arbitrary code when double-clicked) or other dangerous files to be downloaded as feed enclosures (there are no common scenarios that require this today, and if it is absolutely necessary, it is possible to wrap an executable file in another format, so that it is no longer directly executable). For this we use the most flexible mechanism possible, the Attachment Execution Service (AES). In simple terms, the AES maintains a list of file extensions that are considered dangerous, including the directly-executable file types, which the RSS platform consults to decide whether or not to block a file.

Besides blocking the dangerous file types, AES also has a mechanism which allows security programs, such as anti-virus or anti-spyware, to integrate with it, allowing them to inspect files before we make them available to developers or users. Windows Defender has implemented this integration, so on Windows Vista (or if the user has installed Windows Defender on Windows XP), the user will gain that additional level of protection from the malicious files.

IE also has a mechanism to block file downloads on a per-zone basis, so before fetching the enclosure we also verify that downloads are allowed for the URL. You can find this per-zone setting in your Internet Options, under Security tab. The simplest way to prevent enclosure downloads from a site is to add it to the Restricted Zone, where downloads are disabled by default.

If an enclosure download does get blocked for security reasons, this is reported in the feed view as well as through the RSS platform’s LastDownloadError property.

Downloaded enclosures are stored in a subfolder of the Temporary Internet Files folder. The full path to the enclosures is different on every machine, preventing malicious feeds or other malicious code from using enclosure downloads as a vector to get known files on the system, as well as ensuring that other applications don’t unknowingly access enclosure files. If an application wants access to the downloaded enclosures it needs to obtain the path from the RSS platform.

To summarize: enclosures are treated as un-trusted files, and the following security mitigations are used:

• Enclosure download is off by-default for all feeds.
• Directly-executable files are blocked from being downloaded, using the Windows Attachment Execution Service (AES).
• Anti-virus and Anti-spyware applications (like Windows Defender) can integrate with AES to dynamically block malicious files.
• Files are stored in a variable location on each PC, ensuring that applications must opt-in to consuming the enclosures.

As before, we want to make sure all aggregator developers know that the tools we are using to make IE and the RSS platform more secure are available for their use as well:

• AES can be utilized through the IAttachmentExecute interface.
• To determine if file downloads are allowed, applications can invoke the ProcessUrlAction method to query for URLACTION_SHELL_FILE_DOWNLOAD.

Once again, we would like to reiterate our commitment to working with the community to improve feed security, and as always we are open for your feedback and questions.

Thank you,

Miladin

Update 9/25/2006: Added a summary paragraph for clarity

Earlier this year at Mix06, Greg Reinacker and I did a talk on the RSS platform, during which he demo'd tool to synchronize the RSS platform state with NewsGator Online.

Yesterday, Nick Harris announced that the sync app, now known by the name of "NewsGator Desktop Sync" has gone into beta, and is available for everyone to download.

From Nick's post:

Desktop Sync is a system tray application that keeps your feeds, folders and read states synchronized between NewsGator Online and the Windows RSS Platform.  This means that any application that uses the Windows RSS Platform will be automatically synchronized with your NewsGator Online account!

Check out Nick's post for information on where to download and where to give feedback (you'll need IE7 RC1 or Windows Vista RC1, and a free NewsGator Online account  for it to work).

I just want to also use this opportunity to thank Nick, Greg and the others at NewsGator for their great feedback on the RSS platform. It has been great working with them.

- Walter vonKoch

This week’s featured user is Mathgirl826, number one in Science & Mathematics and number 7 in Education & Refernce. She has answered 1990 questions with an impressive 1336 being picked best answer. She mainly helps clear up questions people have with Mathematics, but will also stop by the Education & Reference category to offer Homework Help. She has offered help with solving 3 variable equations and cleared up confusion around a word problem.

Here is what she had to say:

 “I'm from Illinois, and I currently live in Oklahoma. I've always loved math. I haven't gotten a PHD (just a Masters), but I may do so in the future. I love helping others learn math, and that is why I got into teaching. I just graduated college two years ago, so I am pretty new to the teaching field.
I'm a huge cat lover. Ever since I was nine years old, I've always had a cat. Right now I have two beautiful ones, Christian and Samantha.
I love to read. My favorite book is Atlas Shrugged by Ayn Rand, and my favorite author is Dean Koontz.”

Thanks for all of your contributions!

Katie T.

Have you ever wondered why AdWords offers you so many options? Or why, just when you think you know the program inside and out, something changes?

Listening to our advertisers, we understand that while some love AdWords just the way it is, others feel it is rather complex, that perhaps it changes too often for your comfort, and that not everything running under the hood is fully explained...