Safari’s RSS could compromise your personal data

Reports of a new security issue in both the Mac and Windows versions of Safari are stating that there is a “hole” in how Safari handles RSS feeds, which could potentially allow an attacker to capture a user’s personal information, cookies, passwords, etc. through a malicious web page. The discovery of this new vulnerability can be credited to Brain Mastenbrook, who is known for discovering many previous vulnerabilities in Mac OS X.

Apple has acknowledged the problem, which is a good sign since it means they’re probably working on a fix. For now, Tuaw suggests Windows Safari users should use another browser (Firefox, perhaps?), while Mac users can simply set an alternative RSS feed handler.

To change your feed handler, all you have to do is go to Safari’s Preferences and click the RSS button. If you have any other RSS feed reader, you can select it from the list provided. If you don’t happen to have another RSS feed reader, Tuaw suggests you give NetNewsWire, NewsFire, or the open-source Vienna a try, as they are all free and great applications. Or, if you prefer a nicer commercial RSS reader, you can try my personal favourite, Times, and buy it for only $30. However, it doesn’t really matter what application you choose, as long as you don’t leave it set to the default, where Safari handles RSS feeds on its own.

Also, note that you don’t have to open an RSS feed to trigger an attack on your computer; a malicious web page is capable of triggering the attack while your Safari RSS preferences are set to the default. So if you use Safari on either Windows or Mac OS X, please follow the above instructions to protect yourself from a potentially dangerous attack.

Read [brian.mastenbrook.net] Via [TUAW]