“Computer scientist Brian Mastenbrook has discovered a fairly serious bug in Safari’s RSS feed handling that can allow a maliciously-crafted web page to access personal information without any knowledge or intervention of the user,” Chris Foresman reports for Ars Technica.
“This vulnerability affects any Mac OS X user that has Safari set as the default feed reader in Safari’s RSS preferences,” Foresman reports.
“The workarounds are fairly simple and straightforward. Mac users need to fire up Safari and go to Safari > Preferences > RSS, and set the default reader to anything other than Safari, even Mail. Windows users can simply use a different browser, though that doesn’t bode well for Safari’s adoption on Windows. Hopefully Apple will release a fix soon,” Foresman reports.
Full article here.
MacDailyNews Note: In Mac OS X Leopard, you can subscribe to an RSS feed in Mail and you’ll know the moment an article hits. You can even choose to have new articles appear in your inbox alongside your latest email messages. Sorting your news is easy, too. Use Smart Mailboxes to organize incoming news articles according to search terms of interest. Mail shares its unread RSS feed count with Safari, so your reading list always stays in sync.
[Thanks to MacDailyNews Reader “Lurker_PC” for the heads up.]
Not great that there is a vulnerability like this. The change was simple enough but it would still be good of Apple to get it resolved… if for nothing else than to stem the bad publicity that is likely to ensue as well as the finger pointing we’ll get from our Windoze buddies.
Too bad I don’t have 70,000+ fingers to point back!
So far, Mac’s problems have been “theoretical”, rather than “actual”. This doesn’t become an “actual” problem until someone gets bit by it.
This has nothing to do with Apple getting “larger”, it’s a case of poorly considered code that should have been noticed and fixed before it was released.
Not entirely certain I want my Safari browser opening anything other than, perhaps, Firefox. Will give that a try. It’s only the RSS, which is mostly “safe” sites.
Done. That’s all it took. Of course, I didn’t actually have to FIX anything.
Yawn!
M$ = Fucked, Apple = Theory
Nothing to see here, move along, move along
While it may be a “simple workaround”; let’s not sugarcoat this MDN; this is a major security blunder which is very inconvenient for Mac users (like me) who have always enjoyed the integrated RSS experience within Safari.
It’s pretty disappointing Apple hasn’t managed to patch this (or would even let the security hole occur.
We expect better…
I’ll still use Safari since I only use RSS on few sites that are trusted.
MDN has failed to do their homework on this issue, and keep updated on it.
The original author’s page states:
“Note: The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I have since discovered (on 13 January 2009) that changing the default RSS feed reader application in Safari does not correctly disassociate Safari from all RSS feed URLs. The workaround section of this post has been updated with additional information. I regret that what initially appeared to be a simple workaround is now substantially more complicated and requires the installation of third-party software to perform.”
Linked from the Ars site that MDN links to.
While it is a serious flaw…why not use Google Reader? By far the best reader out there! Also, Apple does have the occasional problem, before everyone was a fan boy and when they were struggling in the dark times. It just get’s more press now that there is no doom and gloom news.
I still don’t “get” why people would want to use RSS in a browser. I’ve been using RSS in Mail for a while now, and it makes a lot more sense to me there.
Microsofties – go back in your hole.
What if you have no interest in RSS feeds and don’t care to select anything else to handle them, let alone Mail?
Any way to turn off RSS feeds?
No offense to anyone, but the RSS feeder in Safari leaves a lot to be desired. I prefer RSS feeder in Mozilla. It works more intuitively, rather than just dropping a bunch of things together, the drop down menu for RSS lets you see a one line introduction and then click on it if you want to read it further. It is much more intuitive and much easier to browse through and select what you want to read.
Pity for the security flaw though, hope it gets fixed soon for those of you who use it.
/rick
and this is bigger news than the seemingly incontrollable mutation of spyware that infests the Windows world??? Not that it should be entirely ignored but it need to be put in perspective. OK- I’ll make mail my default RSS reader > done.
Not a fanboy reaction. I work in the Windows world too. You should see what we deal with here. Over 400 PCs and about 40 Macs. Take a guess on what platform we spend most / all of our time, money and resources. The good news… each quarter we’re replacing more PC’s with Macs. Little by little.
Serious Safari flaw? GAAAAH!!! Where’s my tinfoil hat? Where’s my tinfoil hat!! Too late! No time!!!! [Covers head with Powerbook]
I’m a PC
and
I’m a .. errr someone just stole my identity.
Now we know why the Mac guy looks like a bum – all his personal data was compromised!
I moved my RSS to mail when leopard came out… its awesome. I’m surprise no one else has followed…