Security Vulnerability Found in Safari RSS

[Habakuk]

http://www.heise-online.co.uk/news/V...afari--/112402

[Tallest Skil]

Here's my opinion: We'll be getting a Safari update soon! Yay!

[r.j.s]

Good thing I don't use Safari to handle my RSS feeds.

[MacRumors]

Open source programmer Brian Mastenbrook has discovered a security flaw in the way that Safari handles RSS feeds. The vulnerability, which affects both Mac and Windows versions of Safari, could allow a malicious website to gain access to sensitive user data.

Quote:

I have discovered that Apple's Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention. This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites. The vulnerability has been acknowledged by Apple.

Mastenbrook reports that all OS X 10.5 Leopard users, regardless of whether they use Safari or RSS feeds, should protect themselves by choosing an application other than Safari for reading RSS feeds, an option available in the "RSS" tab of Safari's Preferences. Safari for Windows users should utilize a different browser until Apple issues a patch. Mastenbrook, who has received credit from Apple for reporting a number of security issues over the past year, says that Apple has not given a timeframe for a fix.

Article Link: Security Vulnerability Found in Safari RSS

[plumbingandtech]

The temp fix is very easy. Everyone should do so now:

Quote:

Open Safari and select Preferences... from the Safari menu.
Choose the RSS tab from the top of the Preferences window.
Click on the Default RSS reader pop-up and select an application other than Safari.

[chainprayer]

Scary. Its amazing what people can do today. Everything was so simple before the internet :P

[Jayomat]

I hope people start realizing that Safari isn't, as apple puts it, "the world's best browser".......

[pimentoLoaf]

So ... who makes the best RSS reader?

[Spades]

If this doesn't affect Mail, you can switch to that as your RSS reader. I've been using Mail as my RSS reader since Leopard came out. Works better than Safari did.

[Drumjim85]

Quote:

Originally Posted by pimentoLoaf

So ... who makes the best RSS reader?

google?

[fendol]

I don't use RSS, but for those who do this looks like something serious as they can access your hardrive just like that. Remember this is for both Windows and Mac safari users

[J the Ninja]

Quote:

Originally Posted by pimentoLoaf

So ... who makes the best RSS reader?

Firefox. Live bookmarks!

[acxz]

They say switch to an alternative RSS reader, but surely if you stick to reputable feeds this won't be an issue?

Should be interesting to see how long it takes Apple to release a patch anyhow.

[andiwm2003]

thats bad for mac users. windows users are used to such things anyway.

i hope apple fixes that soon. i'm actually surprised that OS X allows that to happen. i guess lots of other apps have similar gaps.

[EmperorDarius]

Quote:

Originally Posted by Jayomat

I hope people start realizing that Safari isn't, as apple puts it, "the world's best browser".......

Why not? No browser is immune to vulnerabilities.

[lowbatteries]

Quote:

Originally Posted by pimentoLoaf

So ... who makes the best RSS reader?

It depends on how you use RSS feeds. If you read them like email, where each post deserves your attention, use Mail. If you use them just to see what's the latest on a particular website, Firefox live bookmarks are nice.

I use NetNewsWire just so I have syncing between my Mac and my iPhone.

First though I would see what programs are already in your Dock and check on their RSS options - if you already have Firefox, Safari, Mail, Thunderbird, or any other browser or mail program running, use those. No use in running another always-on program if you don't need to.

Like another poster said, if you are only getting RSS feeds from reputable sites (and no comments feeds - those could be bad), Safari should be fine.

[NATO]

Does this mean you'd have to subscribe to an 'infected' RSS feed in order to be vulnerable? ie, would you be okay to continue using Safari for RSS if you're only using reputable feeds, eg. MacRumors?

Edit - Whoops, skimmed through the posts and managed to miss the one that actually seemed to answer my question.. doh

[lowbatteries]

Quote:

Originally Posted by Jayomat

I hope people start realizing that Safari isn't, as apple puts it, "the world's best browser".......

I think its a matter of opinion what the BEST browser is. I think its safe to say what the world's WORST browsers are, in order:

1. IE6
2. IE7
3. IE8

So I think the "world's best browser" is ANY browser that isn't IE.

EDIT: I just realized that most standard cell phone browsers should be in that list too.

[Sehnsucht]

Quote:

Originally Posted by lowbatteries

EDIT: I just realized that most standard cell phone browsers should be in that list too.

IE mobile (for WinMo) sucks ass. I used to have a Motorola Q and threw that thing as far as I could.

[lkrupp]

Quote:

Originally Posted by Jayomat

I hope people start realizing that Safari isn't, as apple puts it, "the world's best browser".......

Let's see now. You joined MacRumors just this month and are already trolling away. So why are you here anyway? Are you a Mac user? A Windows fanboy?

So should we all crawl under our beds in fear now? I, for one, don't plan on doing anything. Notice that the "researchers" always use words like "might", "could", "maybe", "under certain conditions"? Isn't the only thing we have to fear supposed to be fear itself? Chicken Little's are always ready to wring their hands and fret. What a way to live one's life, in constant fear.

[settledown]

I have set Chess to be my RSS feed reader.

I think that should fix it.

[MarkMS]

Straight from Brian Mastenbrook's website:

Quote:

... users of Mac OS X Leopard should protect themselves until a fix is issued by Apple by choosing a default feed reader other than Safari, such as Mail.

So those who don't use RSS apps can just link up to Mail.app and be okay for now.

[lkrupp]

Quote:

Originally Posted by r.j.s

Good thing I don't use Safari to handle my RSS feeds.

So how do you know that what you do use isn't just as vulnerable, hmmmm?

[SFStateStudent]

Has Safari 4.0 addressed this issue? I've already defaulted RSS to FF, though I've never used RSS...

[thejadedmonkey]

Quote:

Originally Posted by lowbatteries

I think its a matter of opinion what the BEST browser is. I think its safe to say what the world's WORST browsers are, in order:

1. IE6
2. IE7
3. IE8

So I think the "world's best browser" is ANY browser that isn't IE.

EDIT: I just realized that most standard cell phone browsers should be in that list too.

Dude, I'm using IE8 right now, and aside from some minor bugs, it's really nice. I don't see how you can complain about something that's not even out of beta yet!

You're also forgetting that when IE6 came out, it was a really good browser. There were no CSS issues because there were no browser wars- IE6 was the internet.

Don't forget about IE for mac. That was one of the BEST browsers out there, for quite some time.