or Connect
AppleInsider › Forums › Software › Mac Software › Security flaw in Safari's RSS feeds reported
New Posts  All Forums:Forum Nav:

Security flaw in Safari's RSS feeds reported

post #1 of 11
Thread Starter 
An open source software engineer says he's found a vulnerability in Safari for Mac and Windows that could compromise a user's files and passwords if successfully exploited.

Brian Mastenbrook didn't get specific in aÂ*blog entryÂ*posted Sunday, but he did claim his discovery has already been acknowledged by Apple.Â* All users of Mac OS X 10.5 Leopard are affected, whether they use RSS feeds or not, as long as they have not changed their preference from the default, as seen below.

"Safari ... is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention," Mastenbrook wrote.Â* "This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites."

According to Mastenbrook, Mac OS X Leopard users should change their Default RSS reader preference to another feed reader.Â* Possible solutions include Mail andÂ*NetNewsWire.

Safari for Windows users should use a different web browser until the security hole is patched, he said.



Mastenbrook has a credible reputation for bug reporting, withÂ*noÂ*fewerÂ*thanÂ*fourÂ*mentions,Â*by name, in previous Apple release notes.
post #2 of 11
Just goes to show that ALL software has the potential of being compromised. Windows, Mac OS, Linux, whatever...

For all Safari users, I hope Apple releases a quick fix.
Go Linux, Choose a Flavor!
"I aim to misbehave"
Reply
Go Linux, Choose a Flavor!
"I aim to misbehave"
Reply
post #3 of 11
What's funny is that RSS used to be this huge thing back in like 2003. I never got into it, I simply visit a specific list of bookmarks each day. Maybe that's old school, but I guess its "more secure".
post #4 of 11
Well, if we're suggesting other RSS viewers/readers, let me put in a plug for Vienna. Switched to it a couple of years ago and never looked back. It's free, specific to the Mac, and open source. So open that I've even mucked around with how it displays the feed items a bit to meet my preferences.

http://www.vienna-rss.org/

That said, it's certainly possible that other readers have their own security flaws.
post #5 of 11
I use reader.google.com

Works great.
post #6 of 11
Quote:
Originally Posted by pmjoe View Post

Well, if we're suggesting other RSS viewers/readers, let me put in a plug for Vienna. Switched to it a couple of years ago and never looked back. It's free, specific to the Mac, and open source. So open that I've even mucked around with how it displays the feed items a bit to meet my preferences.

http://www.vienna-rss.org/

That said, it's certainly possible that other readers have their own security flaws.

I'm just sticking with Safari as my RSS reader. I don't plan on crawling under my bed in fear.
post #7 of 11
Quote:
Originally Posted by archer75 View Post

I use reader.google.com

Works great.

reader.google.com is a web page. I think the point is that if you are using Safari to view web pages, you need to make the change to your preferences.

Quote:
All users of Mac OS X 10.5 Leopard are affected, whether they use RSS feeds or not, as long as they have not changed their preference from the default.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #8 of 11
He targets 10.5 users.

What about the RSS design for 10.5 that makes 10.4.x not necessarily reported?

He should test this "vulnerability" with Safari Developer 4.x. If it's available he should contact ADC and report that it's still there in trunk. If not, he should be clear that it's been fixed upstream and urges Apple backport it downstream to Safari 3.2.1 with a new version, Safari 3.2.2.
post #9 of 11
Quote:
Originally Posted by lkrupp View Post

I'm just sticking with Safari as my RSS reader. I don't plan on crawling under my bed in fear.

Ditto!
post #10 of 11
Quote:
Originally Posted by camroidv27 View Post

Just goes to show that ALL software has the potential of being compromised. Windows, Mac OS, Linux, whatever...

You said it, Bill! On the one hand, an untested RSS browser hack; on the other, an OS crawling with bugs and viruses requiring constant flushing, patches, security applications, and a near daily dose of restarts and uncertainty. Yep, same diff!
post #11 of 11
It's not very difficult to parse an XML file and render it. I really don't see how you could have a security hole in a piece of code like that, unless you are really just not paying attention.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac Software
AppleInsider › Forums › Software › Mac Software › Security flaw in Safari's RSS feeds reported