MacDailyNews - Where Mac news comes first

 MacDailyNews Poll

Deal of the Day

5 Day Most Commented

Opinion Archive

Current Headlines

Latest Joy of Tech

  • Latest Joy of Tech!

MacNN

AppleInsider

Macworld UK

TUAW

MacRumors

Yahoo! Finance AAPL

iTunes Top 10 Albums

Mac OS X Downloads

Sat, Nov 21, 2009 - 01:05 AM EST  —  AAPL: 199.92 (-0.59, -0.29%)  |  NASDAQ: 2146.04 (-10.78, -0.5%)

Safari RSS vulnerability discovered; simple workaround explained
Tuesday, January 13, 2009 - 06:29 PM EST

"Computer scientist Brian Mastenbrook has discovered a fairly serious bug in Safari's RSS feed handling that can allow a maliciously-crafted web page to access personal information without any knowledge or intervention of the user," Chris Foresman reports for Ars Technica.

"This vulnerability affects any Mac OS X user that has Safari set as the default feed reader in Safari's RSS preferences," Foresman reports.

"The workarounds are fairly simple and straightforward. Mac users need to fire up Safari and go to Safari > Preferences > RSS, and set the default reader to anything other than Safari, even Mail. Windows users can simply use a different browser, though that doesn't bode well for Safari's adoption on Windows. Hopefully Apple will release a fix soon," Foresman reports.

Full article here.

MacDailyNews Note: In Mac OS X Leopard, you can subscribe to an RSS feed in Mail and you’ll know the moment an article hits. You can even choose to have new articles appear in your inbox alongside your latest email messages. Sorting your news is easy, too. Use Smart Mailboxes to organize incoming news articles according to search terms of interest. Mail shares its unread RSS feed count with Safari, so your reading list always stays in sync.

[Thanks to MacDailyNews Reader "Lurker_PC" for the heads up.]

Send us links! Email: webmaster@macdailynews.com

Apple Store Advertisements
iPhone 3G S: From $199. Free shipping.
New 13-inch MacBook: From $999. Free shipping.
13-inch Macbook Pro: From $1199. Free shipping.
13-inch MacBook Air: From $1499. Free shipping.
15-inch Macbook Pro: From $1699. Free shipping.
17-inch MacBook Pro: From $2499. Free shipping.
New Mac mini: From $599. Free shipping.
New iMac 21.5-inch: From $1199. Free shipping.
New iMac 27-inch: From $1699. Free shipping.
Mac Pro: From $2499. Free shipping.
iPod touch: From $199. Free Shipping.
iPod nano: Now shoots video! From $149. Free shipping.
iPod shuffle: From $59. Free engraving. Free shipping.
Apple TV: From $229. Free shipping.

MacDailyNews on Twitter

MacDailyNews app for iPhone and iPod touch

Bookmark and Share

Always -- Free ground shipping with orders over $50 at the Apple Store.

Reader Feedback: = registered.
Unregistered users: Feedback from multiple usernames are subject to deletion. Off-topic and posts from suspected astroturfers will be removed.

Jan 13, 09 - 06:41 pm Comment from: 7over

Not great that there is a vulnerability like this. The change was simple enough but it would still be good of Apple to get it resolved... if for nothing else than to stem the bad publicity that is likely to ensue as well as the finger pointing we'll get from our Windoze buddies.

Too bad I don't have 70,000+ fingers to point back!

Jan 13, 09 - 06:42 pm Comment from: DLMeyer

So far, Mac's problems have been "theoretical", rather than "actual". This doesn't become an "actual" problem until someone gets bit by it.
This has nothing to do with Apple getting "larger", it's a case of poorly considered code that should have been noticed and fixed before it was released.
Not entirely certain I want my Safari browser opening anything other than, perhaps, Firefox. Will give that a try. It's only the RSS, which is mostly "safe" sites.

Jan 13, 09 - 06:43 pm Comment from: DLMeyer

Done. That's all it took. Of course, I didn't actually have to FIX anything.

Jan 13, 09 - 07:07 pm Comment from: R

Yawn!
M$ = Fucked, Apple = Theory
Nothing to see here, move along, move along

Jan 13, 09 - 07:08 pm Comment from: Ottawa

While it may be a "simple workaround"; let's not sugarcoat this MDN; this is a major security blunder which is very inconvenient for Mac users (like me) who have always enjoyed the integrated RSS experience within Safari.

It's pretty disappointing Apple hasn't managed to patch this (or would even let the security hole occur.

We expect better...

Jan 13, 09 - 07:09 pm Comment from: jonahan

I'll still use Safari since I only use RSS on few sites that are trusted.

Jan 13, 09 - 07:19 pm Comment from: coolfactor

MDN has failed to do their homework on this issue, and keep updated on it.

The original author's page states:
"Note: The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I have since discovered (on 13 January 2009) that changing the default RSS feed reader application in Safari does not correctly disassociate Safari from all RSS feed URLs. The workaround section of this post has been updated with additional information. I regret that what initially appeared to be a simple workaround is now substantially more complicated and requires the installation of third-party software to perform."

Linked from the Ars site that MDN links to.

Jan 13, 09 - 07:23 pm Comment from: Brian Bufalo

While it is a serious flaw...why not use Google Reader? By far the best reader out there! Also, Apple does have the occasional problem, before everyone was a fan boy and when they were struggling in the dark times. It just get's more press now that there is no doom and gloom news.

Jan 13, 09 - 07:47 pm Comment from: Gabriel

I still don't "get" why people would want to use RSS in a browser. I've been using RSS in Mail for a while now, and it makes a lot more sense to me there.

Jan 13, 09 - 09:21 pm Comment from: ron

Microsofties - go back in your hole.

Jan 13, 09 - 09:56 pm Comment from: nobodi

What if you have no interest in RSS feeds and don't care to select anything else to handle them, let alone Mail?

Any way to turn off RSS feeds?

Jan 13, 09 - 10:19 pm Comment from: rickw

No offense to anyone, but the RSS feeder in Safari leaves a lot to be desired. I prefer RSS feeder in Mozilla. It works more intuitively, rather than just dropping a bunch of things together, the drop down menu for RSS lets you see a one line introduction and then click on it if you want to read it further. It is much more intuitive and much easier to browse through and select what you want to read.

Pity for the security flaw though, hope it gets fixed soon for those of you who use it.

/rick

Jan 13, 09 - 10:49 pm Comment from: iLuvMyMacs

and this is bigger news than the seemingly incontrollable mutation of spyware that infests the Windows world??? Not that it should be entirely ignored but it need to be put in perspective. OK- I'll make mail my default RSS reader > done.

Not a fanboy reaction. I work in the Windows world too. You should see what we deal with here. Over 400 PCs and about 40 Macs. Take a guess on what platform we spend most / all of our time, money and resources. The good news... each quarter we're replacing more PC's with Macs. Little by little.

Jan 13, 09 - 10:52 pm Comment from: HMCIV

Serious Safari flaw? GAAAAH!!! Where's my tinfoil hat? Where's my tinfoil hat!! Too late! No time!!!! [Covers head with Powerbook]

Jan 13, 09 - 11:23 pm Comment from: doh

I'm a PC

and

I'm a .. errr someone just stole my identity.

Now we know why the Mac guy looks like a bum - all his personal data was compromised!

Jan 14, 09 - 07:04 am Comment from: bioness

I moved my RSS to mail when leopard came out... its awesome. I'm surprise no one else has followed...

Reader feedback page 1 of 1 pages:

Always -- Free ground shipping with orders over $50 at the Apple Store.

Add Your Feedback:

Register or Login

Name:

Email: (optional)

Emoticons | Allowed HTML Tags

Remember my info   Notify me of follow-up comments?

Please enter the "MDN Magic Word" you see in the image below: