According to an alert from Brian Mastenbrook, there is a serious Safari vulnerability that allows a malicious web site to read files on a user's hard drive without user intervention.
This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites. The vulnerability has been acknowledged by Apple. All users of Mac OS X 10.5 Leopard who have not changed their feed reader application preference from the system default are affected, regardless of whether they use any RSS feeds or use a different web browser (such as Firefox). Users of previous versions of Mac OS X are not affected.
Mastenbrook, who has a credible history of reporting security issues affecting the Mac ecosystem, said users of Safari on Windows are also affected.
The researcher recommends that Safari users change the default feed reader in the browser.
To select a different feed reader:
- Open Safari and select Preferences... from the Safari menu.
- Choose the RSS tab from the top of the Preferences window.
- Click on the Default RSS reader pop-up and select an application other than Safari.
The only workaround available for users of Safari on Windows is to use a different web browser, Mastenbrook recommends.
This is not the first time that Apple's Safari browser has failed a privacy-related test.