Brian Mastenbrook reports a potentially serious security problem with Safari under Leopard, one that he says is confirmed by Apple. Mastenbrook recommends a workaround.

According to Mastenbrook—who has discovered previous security problems, and is known in the Macintosh community—

Apple's Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention.

Once the malicious user has access, a variety of files might be read, including cookies, with password data, email, passwords, etc. allowing a thief to then use the user's private information to log on to that user's accounts on Web sites. Apple has acknowledged the problem, says Mastebrook.

All users of OS X 10.5 Leopard who have not changed their RSS or feed reader application Preference in Safari from the Mac OS X default are potentially affected, whether or not they use RSS feeds, or use a different Web browser. Users of Safari on Windows are also potentially affected if they use Safari for browsing.

The temporary workaround for Mac OS X 10.5 Leopard involves a simple Preference change, and is simple to implement, and to reverse.

1. Open Safari




2. Select Preferences... from the Safari menu.




3. Click the RSS tab from the top of the Preferences window.




4. Click the Default RSS reader pop-up menu




5. Select an application other than Safari even if you do not use RSS feeds, and do not intend to use the application to read them.