Brian Mastenbrook, credited in finding several security vulnerabilities that Apple patched in its Security Updates, has found another one that could potentially allow a malicious website to read files on a user’s hard drive without the user’s consent.
This would, effectively, give a person free control to access a lot of files on your computer, including e-mails, cookies, passwords and other sensitive information kept on the user’s hard drive. Basically, it uses the RSS reader built into Safari to allow access – and since it is the default RSS reader in the Mac OS X 10.5 Leopard, it is affected, regardless if you use another web browser or if you don’t read RSS feeds.
Users using Safari for Windows are also affected, but if you don’t use it for browsing, then you are not affected by this vulnerability. And while these have not been made to the public, Mastenbrook gives tips to how to change the default RSS reader from Safari to any other application:
- Open Safari and select Preferences… from the Safari menu.
- Choose the RSS tab from the top of the Preferences window.
- Click on the Default RSS reader pop-up and select an application other than Safari.
Windows users’ only workaround is just switch to another web browser.