Security Vulnerability in Apple's Safari RSS Reader
I use Apple’s Safari web browser almost every single day. I like it and I depend on it. Thus I was alarmed to read that Brian Mastenbrook recently discovered that Safari’s RSS reader is “vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention.”
Apparently this “can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites.”
Mastenbrook notes that this vulnerability has been acknowledged by Apple. It affects Safari in Leopard and in Windows, but apparently does not affect people using Tiger.
Originally it seemed that the solution was very simple: change your default RSS reader from Safari to another RSS application in Safari’s preferences. However, Mastenbrook’s further research showed that this does not completley disassociate Safari all RSS feeds.
To work around this issue until a fix is released by Apple, Mastenbrook suggests the following steps. Note that I was able to easily do this on all of my Macs.
1. Download and install the RCDefaultApp preference pane, which you can get by clicking here.
2. This installs into your Mac’s system preferences. Open your Mac’s system preferences by clicking on the Apple in the upper left corner of your Mac’s screen and choosing “System Preferences”.
3. Click on the the Default Applications option.
4. Select the “URLs” tab at the top of the window that opens. Now choose the “feed” URL type from the column on the left, and choose a different application (such as NetNewsWire or NewsFire which is my prefered desktop RSS app. You can also choose Mail in Leopard, which has an RSS reader and is not affected by the issue.).
5. Repeat the previous step for the “feeds” and “feedsearch” URL types. Note that you don’t need to set a different app for these options; I chose the “
I’ve performed the above steps with no difference in performance for Safari. I’m sure Apple is working on a patch to be released ASAP.
Read the original report by clicking here.
It’s extremely unlikely that a Safari user would be affected by this. However, it’s almost always better to be safe than sorry. Thank you to Brian Mastenbrook for discovering this issue!