Safari RSS Security Vulnerability

Brian Mastenbrook:

I have discovered that Apple’s Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user’s hard drive without user intervention. This can be used to gain access to sensitive information stored on the user’s computer, such as emails, passwords, or cookies that could be used to gain access to the user’s accounts on some web sites. The vulnerability has been acknowledged by Apple.

Choose a default RSS reader other than Safari (in Safari’s preferences) and you should be safe.

Update: Mastenbrook has updated his advisory, indicating that you need to do more. Download RCDefaultApp and disable or change the assignments for the “feeds:” and “feedsearch:” URL schemes, too (that’s in addition to the “feed:?” scheme, which is what gets changed when you use Safari’s preference to set the default RSS reader).

Tuesday, 13 January 2009