Filed under: Security
Safari RSS vulnerability might reveal your personal data
This vulnerability is patched in the 2009-001 security updates.When reports of security issues in Apple's Safari browser come over the transom, they get our attention. When they're exploitable in both the Mac and Windows versions of Safari, they get our full and undivided attention. When the person reporting them is Brian Mastenbrook (credited with discovering multiple previous vulnerabilities in Mac OS X)... well, someone shut off that damn klaxon and let us get back to work. In this case, the issue is that a hole in Safari's handling of RSS feeds could allow an attacker (via a malicious web page) to capture a user's personal information, cookies or even passwords.
While Brian has not posted more details of the vulnerability publicly, he has acknowledgment from Apple that the issue exists; hopefully we will see an update soon that closes this hole. In the meantime, although Windows Safari users are advised to use a different browser to avoid the vulnerability, Mac users can simply set an alternative RSS feed handler to work around the issue.
Update 1/14: Per Brian's further research, the workaround below is not adequate to protect against the vulnerability, as Safari also handles URL types of 'feeds' and 'feedsearch,' which cannot be set to alternative handlers within Safari itself. The revised workaround calls for the RCDefaultApp preference pane, which does let you redirect the other URL types.
RCDefaultApp settings for "feeds" and "feedsearch" also need to be modified.
Thanks to Brian for the heads up & everyone who sent this in.
Get a WordPress.com Blog
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
jniiiice said 1:03AM on 1-13-2009
How does it affect the rss visualizer screensaver?
Reply
bshigenaka said 1:13AM on 1-13-2009
You can also just set Mail as your RSS reader if you don't use the feature.
Reply
Bryan said 2:06AM on 1-13-2009
Why doesn't Vienna ever get mentioned amongst free RSS readers for OS X? It looks and works great, has been updated often, is open source, and is the only RSS reader mentioned on this page that is truly "free".
Reply
jln said 3:17AM on 1-13-2009
I was asking myself the same thing. I'm allways surprised not to see it mentionned. Sure it doesn't have lot of extra features like NNW for example, but it has simplicity and ease of use, which is a big plus for a RSS reader, imho.
Jash Sayani said 7:44AM on 1-13-2009
I use Vienna. It has an excellent interface!
Reply
Wim37u said 8:12AM on 1-13-2009
I am using VIenna but isn't it using webkit, too? alt+ctrl+d for example is dictionary search like in Safari.
Reply
Luigi193 said 8:47AM on 1-13-2009
Apple + Option + d is a sign its a Cocoa Application, not necessarily WebKit, it may very well be WebKit, but you can't confirm an application of using WebKit by using the dictionary trick.
Niklas said 11:49AM on 1-13-2009
Most RSS readers on the mac are webkit-based. This seems to be a bug with safari and not the layout/rendering engine.
Bob S. said 11:46AM on 1-13-2009
I looked at Mastenbrook's page and he specifically mentions Leopard many times. Are we 10.4 users safe? Or did he just not bother to check earlier OS releases?
Reply
Michael Rose said 1:57PM on 1-13-2009
He confirmed to me that Tiger users are NOT vulnerable.
Bob S. said 12:52AM on 1-14-2009
Thanks, Michael.
As for how one visits a maliciously crafted Web page, oddly enough, I did just that at work yesterday. A local restaurant's Web site was hacked after they received some publicity for participating in an event sponsored by a museum here in Chicago. While the page targets Windows, it crashes Safari under 10.5, a friend confirmed; he used Linux and a few tools to figure out that it delivers some 249 payloads via heavily obfuscated Javascript. I'll happily buy one of our IT people a beer if my PC works normally when I go in tomorrow. Fortunately, those of us who leave our PCs on every night have nightly backups, so our IT guy can restore to Friday night's state.
As for experience, I created my first account on Athena in '82.
macboyinsf said 1:51PM on 1-13-2009
Not trying to be funny here but how does an experienced user of the internet knowingly stumble upon a "malicious web page"? Just wondering if I really need to be concerned about this as long as I know where I am going on the web?
Reply
Michael Rose said 1:59PM on 1-13-2009
Well, that's the funny thing. Have you ever gotten an email from a friend -- or a Twitter direct message, or a Facebook ping -- that included an innocuous-seeming body and a single URL? Ever click that URL without thinking? Whoops.
machack said 3:51AM on 1-17-2009
that is the point: you will unknowingly stumble into pages, sites, redirects, phishes and more where iframe php java injection exploits are hidden in page codes all over the place. those mostly affect internet explorer/windoze users, but the risks to mac users in these and other areas -- privacy included -- are increasing exponentially.
the stuff is there; you can't see it. so-called safe sites are not 100% safe.
i prefer the safety of noscript combined with netcraft toolbar in minefield (firefox optimized for macs) but it's so damn ugly and mainly slow, sluggish lumbering compared to safari and camino that I rarely use it. and even noscript is not foolproof BUT it's better than anything else out there.
macboyinsf said 2:19PM on 1-13-2009
at Michael Rose:
I don't do Twitter and although I am on Facebook, I never click on any links from Facebook email messages. I always log into my account. In fact, I never, ever access any URLs from email no matter who they are from; no "unsubscribe" links or electronic greeting cards. Nada. I'm just old school in my way cause I've learned from past experience. That's why I was serious in asking.
Reply
Michael Rose said 4:13PM on 1-13-2009
The behavioral profile you describe makes you both an exceptional Internet user, and also quite unlikely to be affected by this vulnerability (unless a site you normally visit and trust is compromised and you get hit with a bad popup or iframe).
pc said 9:52PM on 1-13-2009
are you also vulnerable if you use the RSS reader located in mail?
Reply
mherstand said 3:17AM on 2-04-2009
What application should be used to run "feeds" and "feedsearch" via RCDefaultApp? Both NetNewsWire and Firefox are grayed out when "Recommended Apps" is selected.
Reply