Disclosure of information vulnerability in Safari
Posted on Sun, 11 Jan 2009
Last edited Wed, 14 Jan 2009
Note: The original version of this page contained a simple workaround for this issue which I believed would protect users against this problem. I have since discovered (on 13 January 2009) that changing the default RSS feed reader application in Safari does not correctly disassociate Safari from all RSS feed URLs. The workaround section of this post has been updated with additional information. I regret that what initially appeared to be a simple workaround is now substantially more complicated and requires the installation of third-party software to perform.
I have discovered that Apple's Safari browser is vulnerable to an attack that allows a malicious web site to read files on a user's hard drive without user intervention. This can be used to gain access to sensitive information stored on the user's computer, such as emails, passwords, or cookies that could be used to gain access to the user's accounts on some web sites. The vulnerability has been acknowledged by Apple.
All users of Mac OS X 10.5 Leopard who have not performed the workaround steps listed below are affected, regardless of whether they use any RSS feeds. Users of previous versions of Mac OS X are not affected.
Users of Firefox, Camino, and Opera on Mac OS X are substantially better protected against exploitation by a malicious web page than users of Safari or OmniWeb. If users of these browsers are asked to open a link in Safari, they should not allow the request and close the page which triggered the request immediately. All users of Mac OS X may still be affected by clicking on a malicious link from their email client, instant messaging program, or another application, and should perform the workaround steps given below.
Users of Safari on Windows are also affected. Users who have Safari for Windows installed but do not use it for browsing are not affected.
The details of this vulnerability have not been made public to the best of my knowledge, but secrecy is no guarantee against a sufficiently motivated attacker.
To work around this issue until a fix is released by Apple, users should perform the following steps:
- Download and install the RCDefaultApp preference pane, following the included instructions.
- Open System Preferences and choose the Default Applications option.
- Select the "URLs" tab in the window that appears.
- Choose the "feed" URL type from the column on the left, and choose a different application or the "<disabled>" option.
- Repeat the previous step for the "feeds" and "feedsearch" URL types.
The only workaround available for users of Safari on Windows is to use a different web browser.
Apple has not made information available on when a fix for this issue will be released. Users with questions or concerns should contact Apple as I have no additional information about this vulnerability which can be shared at this time.
For the curious, security issues in Mac OS X which I previously reported to Apple were fixed in Security Updates 2008-001, 2008-002, 2008-003, and 2008-004.
Mac OS X.5 Leopard and Windows Safari RSS security issue—PING!
This has not been vetted for legitimacy, but Brian Masterbrook does have a background in finding vulnerabilities. However, I suspect this is a buffer overflow type issue. If the RSS feeds use the regular data stack area, then there is little damage a buffer overflow could do because on Macs the data stack is non-executable. Any malicious command imbedded in the overflow could not execute. Also, the command locations, say for the system command to load or open a file, are randomized so that any such command to jump to a system calls would land purely randomly and be unlikely to hit on anything damaging.
Windows Safari users might be more at risk.
Apple Safari Ping!
If you want on or off the Mac Ping List, Freepmail me.