Open Source Software Engineer Reports Vulnerability in Safari RSS Feeds

| News

In a post to his blog on Sunday, open source software engineer Brian Mastenbrook stated he's located a vulnerability in the Safari web browser for the Mac OS X and Windows operating systems that could compromise a user's files and passwords if exploited.

"Safari ... is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention," Mastenbrook wrote.  "This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites."

Mastenbrook then advises that users change their default RSS reader preference to another feed reader, such as the one embedded in Apple's Mail program or NetNewsWire.

Where Windows users are concerned, Mastenbrook's blog entry suggests that users rely on an alternate web browser until the security hole is patched.

Though not a widely known name outside security circles, Mastenbrook is currently credited with no fewer than four mentions by name in previous security updates and fixes.



Popular TMO Stories


Lee Dronick

I wonder how soon it will before Apple has a security update for this.

Original Workaround Not Sufficient

“The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I have since discovered (on 13 January 2009) that changing the default RSS feed reader application in Safari does not correctly disassociate Safari from all RSS feed URLs. The workaround section of this post has been updated with additional information. I regret that what initially appeared to be a simple workaround is now substantially more complicated and requires the installation of third-party software to perform.”

Log in to comment (TMO, Twitter or Facebook) or Register for a TMO account