Patch/Configuration Management, Vulnerability Management

Apple Safari feed reader flaw could expose private information

An open-source programmer has discovered a potentially major vulnerability in Apple Safari, affecting both the Mac and Windows versions of the web browser, he said this week.

Brian Mastenbrook said on his website that the bug, if exploited, can allow malicious websites to read files sitting on a user's hard drive, without the victim needing to take any action.

"This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords or cookies that could be used to gain access to the user's accounts on some websites," he said, adding that Apple is aware of the bug.

Users of Mac OS X 10.5, code-named Leopard, are affected if they use the default feed reader application preference, regardless if they use a different browser or use RSS feeds at all, Mastenbrook said. Users of Safari for Windows are also impacted, unless they do not use it for browsing.

Mastenbrook said he does not think the vulnerability is publicly known, but users should nonetheless take action to prevent against an exploit.

To protect themselves in advance of a fix from Apple, users should select another feed reader besides the Safari default, he said.

Mastenbrook describes how to select a different feed reader on his site.

An Apple spokeswoman on Tuesday did not respond to a request seeking comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.