Blogs are popularly being read on RSS aggregators these days. That or via Atom feeds and recently, it has been said that attackers could use Javascript to take advantage of this. According to an article on USA Today, this could be any kind of information as long as it is in this format. In the said article, you could also find out the list of vulnerable readers: Bloglines, RSS Reader, RSS Owl, Feed Demon, and Sharp Reader.
This kind of news is actually not so new. Mark Pilgrim was one of the bloggers who has written about this before. He even set up an experiment of sorts, wherein subscribers to his blog feed saw a screen full of platypi. He has mentioned in his blog entry that the difficulty with RSS is that there is a lot of arbitrary HTML and it could include Javascript — it could be malicious Javascript as designed by some attackers. Mark Pilgrim even listen down the elements that should be stripped off by RSS readers, just to be safe:
script tags, embed tags, object tags, frameset tags, iframe tags, meta tags, link tags, style tags, style attributes from every tag.
If you are always subscribing to different blogs, forums and mailing lists through RSS, you should be careful about it. If there are comments RSS, you could also take precautionary measures by not subscribing to it. It is possible to get attacked through the RSS of comments. Aside from that, if you have set up your own personal aggregator, make sure that you have a ‘smart’ aggregator which strips off the said tags. If you have an aggregator on your computer, check if it is vulnerable. Maybe you could install something else that isn’t prone to attacks via RSS. It is better to be secure after all.