Potential Security Issue with Safari under Leopard
Brian Mastenbrook reports a potentially serious security problem with Safari under Leopard, one that he says is confirmed by Apple. Mastenbrook recommends a workaround.
According to Mastenbrook—who has discovered previous security problems, and is known in the Macintosh community—
Apple's Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention.
Once the malicious user has access, a variety of files might be read, including cookies, with password data, email, passwords, etc. allowing a thief to then use the user's private information to log on to that user's accounts on Web sites. Apple has acknowledged the problem, says Mastebrook.
All users of OS X 10.5 Leopard who have not changed their RSS or feed reader application Preference in Safari from the Mac OS X default are potentially affected, whether or not they use RSS feeds, or use a different Web browser. Users of Safari on Windows are also potentially affected if they use Safari for browsing.
The temporary workaround for Mac OS X 10.5 Leopard involves a simple Preference change, and is simple to implement, and to reverse.
- Open Safari
- Select Preferences... from the Safari menu.
- Click the RSS tab from the top of the Preferences window.
- Click the Default RSS reader pop-up menu
- Select an application other than Safari even if you do not use RSS feeds, and do not intend to use the application to read them.
