SPI Dymanics reports on RssReader vulnerability
"The vulnerabilities are caused due to input validation errors in the processing of Atom and RSS feeds. This can be exploited to inject and execute arbitrary HTML and script code in context of the feed by tricking a user into adding a malicious feed and then viewing the content of it."
Please rest assured that IE7 is not prone to such a vulnerability because:
- The Windows RSS Platform uses several techniques to strip out script (and several other variations of malicious HTML) before storing the feed content.
- Just in case the first step misses something, IE's feed view uses a variation on the Restricted Zone to show a feed, meaning that no script in a feed will run, even if makes it through the previous step.
Ironically, SPI Dynamics was mentioned in that very post.