Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Apr 12, 2001
55,031
17,414
Security Vulnerability Found in Safari RSS



Open source programmer Brian Mastenbrook has discovered a security flaw in the way that Safari handles RSS feeds. The vulnerability, which affects both Mac and Windows versions of Safari, could allow a malicious website to gain access to sensitive user data.

I have discovered that Apple's Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention. This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites. The vulnerability has been acknowledged by Apple.

Mastenbrook reports that all OS X 10.5 Leopard users, regardless of whether they use Safari or RSS feeds, should protect themselves by choosing an application other than Safari for reading RSS feeds, an option available in the "RSS" tab of Safari's Preferences. Safari for Windows users should utilize a different browser until Apple issues a patch. Mastenbrook, who has received credit from Apple for reporting a number of security issues over the past year, says that Apple has not given a timeframe for a fix.

Article Link: Security Vulnerability Found in Safari RSS
 

plumbingandtech

macrumors 68000
Jun 20, 2007
1,993
1
The temp fix is very easy. Everyone should do so now:


Open Safari and select Preferences... from the Safari menu.
Choose the RSS tab from the top of the Preferences window.
Click on the Default RSS reader pop-up and select an application other than Safari.
 

Jayomat

macrumors 6502a
Jan 10, 2009
703
0
I hope people start realizing that Safari isn't, as apple puts it, "the world's best browser".......
 

Spades

macrumors 6502
Oct 24, 2003
461
0
If this doesn't affect Mail, you can switch to that as your RSS reader. I've been using Mail as my RSS reader since Leopard came out. Works better than Safari did.
 

acxz

macrumors regular
Nov 30, 2007
236
4
They say switch to an alternative RSS reader, but surely if you stick to reputable feeds this won't be an issue?

Should be interesting to see how long it takes Apple to release a patch anyhow.
 

andiwm2003

macrumors 601
Mar 29, 2004
4,365
432
Boston, MA
thats bad for mac users. windows users are used to such things anyway.:p

i hope apple fixes that soon. i'm actually surprised that OS X allows that to happen. i guess lots of other apps have similar gaps.
 

lowbatteries

macrumors regular
Mar 21, 2008
223
15
So ... who makes the best RSS reader?

It depends on how you use RSS feeds. If you read them like email, where each post deserves your attention, use Mail. If you use them just to see what's the latest on a particular website, Firefox live bookmarks are nice.

I use NetNewsWire just so I have syncing between my Mac and my iPhone.

First though I would see what programs are already in your Dock and check on their RSS options - if you already have Firefox, Safari, Mail, Thunderbird, or any other browser or mail program running, use those. No use in running another always-on program if you don't need to.

Like another poster said, if you are only getting RSS feeds from reputable sites (and no comments feeds - those could be bad), Safari should be fine.
 

NATO

macrumors 68000
Feb 14, 2005
1,699
32
Northern Ireland
Does this mean you'd have to subscribe to an 'infected' RSS feed in order to be vulnerable? ie, would you be okay to continue using Safari for RSS if you're only using reputable feeds, eg. MacRumors?

Edit - Whoops, skimmed through the posts and managed to miss the one that actually seemed to answer my question.. doh :p
 

lowbatteries

macrumors regular
Mar 21, 2008
223
15
I hope people start realizing that Safari isn't, as apple puts it, "the world's best browser".......

I think its a matter of opinion what the BEST browser is. I think its safe to say what the world's WORST browsers are, in order:

1. IE6
2. IE7
3. IE8

So I think the "world's best browser" is ANY browser that isn't IE.

EDIT: I just realized that most standard cell phone browsers should be in that list too.
 

lkrupp

macrumors 65816
Jul 24, 2004
1,239
2,117
I hope people start realizing that Safari isn't, as apple puts it, "the world's best browser".......

Let's see now. You joined MacRumors just this month and are already trolling away. So why are you here anyway? Are you a Mac user? A Windows fanboy?

So should we all crawl under our beds in fear now? I, for one, don't plan on doing anything. Notice that the "researchers" always use words like "might", "could", "maybe", "under certain conditions"? Isn't the only thing we have to fear supposed to be fear itself? Chicken Little's are always ready to wring their hands and fret. What a way to live one's life, in constant fear.
 

MarkMS

macrumors 6502a
Aug 30, 2006
992
0
Straight from Brian Mastenbrook's website:
... users of Mac OS X Leopard should protect themselves until a fix is issued by Apple by choosing a default feed reader other than Safari, such as Mail.


So those who don't use RSS apps can just link up to Mail.app and be okay for now.
 

thejadedmonkey

macrumors G3
May 28, 2005
8,748
2,204
Pennsylvania
I think its a matter of opinion what the BEST browser is. I think its safe to say what the world's WORST browsers are, in order:

1. IE6
2. IE7
3. IE8

So I think the "world's best browser" is ANY browser that isn't IE.

EDIT: I just realized that most standard cell phone browsers should be in that list too.

Dude, I'm using IE8 right now, and aside from some minor bugs, it's really nice. I don't see how you can complain about something that's not even out of beta yet!

You're also forgetting that when IE6 came out, it was a really good browser. There were no CSS issues because there were no browser wars- IE6 was the internet.

Don't forget about IE for mac. That was one of the BEST browsers out there, for quite some time.
 

JG271

macrumors 6502a
Dec 17, 2007
784
1
UK
Damn. The only reason I use safari over firefox is because of the RSS reader!

This programmer guy could have waited to make the news public:rolleyes:
Now hackers will know about it!
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.