Friday, January 16, 2009

Safari users warned of unpatched flaw

Users of Apple's Safari web browser are being warned of an unpatched security vulnerability that can reveal sensitive information – even if you use a different web browser.

According to research by Brian Mastenbrook – via Techmeme – the software, which is installed by default in all versions of Mac OS X and is also available for Windows-based PCs, has a major security hole in its implementation of the RSS standard.

Although details have not been made public – for obvious reasons – Mastenbrook does state that the flaw can be used by a remote attacker to "gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites."

Users of Safari on Microsoft Windows are advised to switch – at least temporarily – to a different browser, and to ensure that Safari is not selected as the system default for either HTML or RSS data. Mac OS X users are advised to choose a different default RSS reader in the Preferences menu of Safari in order to protect themselves while waiting for a patch – even if they already use a different program to browse the web or access RSS feeds.

While the flaw has been acknowledge by Apple, an official statement – or news about when a patch might be due – has not yet been forthcoming. Without technical information it's hard to judge the scope of the flaw, but Mastenbrook has a quartet of bug kills to his name already having been responsible discovering four separate security issues in Mac OS X that Apple has since patched using information he provided.

Any Safari users hoping that Apple gets this hole patched ASAP, or is Mastenbrook over-egging the severity of the flaw for his own ends? Share your thoughts over in the forums.

0 comments: