Important! Safari RSS Security Risk

If you use a Mac, it’s very important that you read this, even if you don’t use Safari.

Republished from Brian Mastenbrook:

Disclosure of information vulnerability in Safari
Posted on Sun, 11 Jan 2009
Last edited Tue, 13 Jan 2009

I have discovered that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites. The vulnerability has been acknowledged by Apple.

All users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox). Users of previous versions of Mac OS X are not affected.

Users of Safari on Windows are also affected. Users who have Safari for Windows installed but do not use it for browsing are not affected.

The details of this vulnerability have not been made public to the best of my knowledge, but secrecy is no guarantee against a sufficiently motivated attacker. Because this vulnerability could be exploited by a phishing site in a way that would not cause affected users to suspect their information had been stolen, users of Mac OS X Leopard should protect themselves until a fix is issued by Apple by choosing a default feed reader other than Safari, such as Mail. To select a different feed reader:

1. Open Safari and select Preferences… from the Safari menu.
2. Choose the RSS tab from the top of the Preferences window.
3. Click on the Default RSS reader pop-up and select an application other than Safari.

The only workaround available for users of Safari on Windows is to use a different web browser.

Apple has not made information available on when a fix for this issue will be released. Users with questions or concerns should contact Apple as I have no additional information about this vulnerability which can be shared at this time.