Programmer Brian Mastenbrook revealed on 11-Jan-09 that he has discovered a security vulnerability that could allow a malicious Web site you visit using Safari to read any file on your system. The flaw affects the latest versions of Safari when used in Mac OS X 10.5 Leopard or Windows, though not in earlier versions of Mac OS X. Mastenbrook wrote that he has reported the details to Apple.
The vulnerability apparently could reveal the contents of any file, which includes email messages, passwords stored in browser cookies, or other documents. We have strong indications that the problem is real and you should immediately protect yourself in case malicious attackers figure out the vulnerability’s full details before Apple issues a patch.
The vulnerability lies in the Safari RSS reader, and according to Mastenbrook, you may be affected even if you don’t use the reader, as long as Safari is set to be your default RSS reader, which it is unless you’ve changed the setting. This likely indicates that the problem relates to how Safari handles RSS subscription links or feeds, since browsing to those triggers Safari’s RSS reader.
The good news is that it’s relatively easy to protect yourself. If you are on Windows, just stop using Safari until a fix is released. If you are using Mac OS X 10.5 Leopard, follow the updated instructions on Mastenbrook’s Web site, linked above. Simply changing the default RSS reader application in Safari does not provide full protection, unfortunately.
It’s always a relief when there is a reasonable workaround to a potentially serious security vulnerability, and we won’t be surprised if Apple patches this vulnerability fairly quickly.