Disclosure of information vulnerability in Safari

Posted on Sun, 11 Jan 2009
Last edited Thu, 12 Feb 2009
Note: This issue has been addressed by Apple Security Update 2009-001. All users of Leopard and of Safari on Windows should install this update immediately. An explanation of the issue is available here. The information that follows is of historical interest only.

I have discovered that Apple's Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention. This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites. The vulnerability has been acknowledged by Apple.

All users of Mac OS X 10.5 Leopard who have not performed the workaround steps listed below are affected, regardless of whether they use any RSS feeds. Users of previous versions of Mac OS X are not affected.

Users of Firefox, Camino, and Opera on Mac OS X are substantially better protected against exploitation by a malicious web page than users of Safari or OmniWeb. If users of these browsers are asked to open a link in Safari, they should not allow the request and close the page which triggered the request immediately. All users of Mac OS X may still be affected by clicking on a malicious link from their email client, instant messaging program, or another application, and should perform the workaround steps given below.

Users of Safari on Windows are also affected. Users who have Safari for Windows installed but do not use it for browsing are not affected.

The details of this vulnerability have not been made public to the best of my knowledge, but secrecy is no guarantee against a sufficiently motivated attacker.

To work around this issue until a fix is released by Apple, users should perform the following steps:

  1. Download and install the RCDefaultApp preference pane, following the included instructions.
  2. Open System Preferences and choose the Default Applications option.
  3. Select the "URLs" tab in the window that appears.
  4. Choose the "feed" URL type from the column on the left, and choose a different application or the "<disabled>" option.
  5. Repeat the previous step for the "feeds" and "feedsearch" URL types.

The only workaround available for users of Safari on Windows is to use a different web browser.

Apple has not made information available on when a fix for this issue will be released. Users with questions or concerns should contact Apple as I have no additional information about this vulnerability which can be shared at this time.

For the curious, security issues in Mac OS X which I previously reported to Apple were fixed in Security Updates 2008-001, 2008-002, 2008-003, and 2008-004.

Trackback pings for this entry are listed below. The URL to ping for this entry is: http://brian.mastenbrook.net/trackback/27