Serious security vulnerability in Safari web browser reported

Filed Under: Apple, Apple Safari

An open source software engineer with a history of uncovering flaws in Mac OS X, claims to have uncovered a security vulnerability in Apple's web browser Safari, affecting both Windows and Apple Mac users.

Brian Mastenbrook has blogged that a serious vulnerability in the way that Safari handles RSS feeds could be abused by hackers to gain access to any file on your hard drive.

It's important to realise that at the moment there is no reason to believe that the vulnerability is being exploited in the wild. Given Mastenbrook's track record at finding flaws it would seem sensible to take his warning seriously, and he reports that Apple has acknowledged the existence of the vulnerability to him.

Mastenbrook offers a simple workaround for Apple Mac users - he says they should select a different feed reader in their preferences:

  1. Open Safari and select Preferences... from the Safari menu.

  2. Choose the RSS tab from the top of the Preferences window.
  3. Click on the Default RSS reader pop-up and select an application other than Safari.

Life isn't so easy for users of Safari on Windows, however. Mastenbrook advises that Windows users choose an alternative browser until Apple issues a fix for the vulnerability.

Vulnerabilities in web browsers shouldn't, of course, be taken lightly. The recently published Sophos Security Threat Report revealed the increasing use of the web by cybercriminals to steal money and take over poorly secured computers.

UPDATE: Mastenbrook has now blogged that his workaround for Apple Mac users is not effective. Please visit his blog for more information.


You might like

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley