Unpatched Safari bug exposes sensitive info

Apple's Safari browser on Windows and Mac OS X is vulnerable to a bug that could allow a malicious website to read files on the user's hard drive, according to a security researcher.

The flaw is related to the way Safari handles web feeds such as RSS, but it affects users even if they do not use feeds, researcher Brian Mastenbrook wrote in an advisory published on Sunday. Feeds are a data format used for notifying users of frequently updated content, such as blog posts.

The vulnerability could be used to read sensitive information, such as passwords, on a user's system, Mastenbrook said. An attack could be triggered via a malicious link opened in Safari on either Windows or Mac OS X 10.5, he said. Other versions of Mac OS X are not affected.

Apple has acknowledged the flaw, but has not yet indicated when it will be patched, according to Mastenbrook. "The details of this vulnerability have not been made public to the best of my knowledge, but secrecy is no guarantee against a sufficiently motivated attacker," he wrote in an advisory.

As a workaround, Mac OS X users can change the system's preferences to use an application other than Safari for reading feeds. However, the operating system's built-in method for changing feed reader preferences does not correctly disassociate Safari from feeds, Mastenbrook said.

In a post on Tuesday, he recommended the use of a third-party application such as RCDefaultApp to perform the workaround.

The only workaround available to Safari users on Windows is to use a different browser, Mastenbrook said.