Critical Safari vulnerability found, here's how to fix it


Apple patches scores of security vulnerabilities every year (most recent--see OS X 10.5.6, Security Update 2008-008). Every once in a while a vulnerability pops up that gets your attention.

A good example of an "in the wild" exploit is Charlie Miller's two-minute-flat hacking of a MacBook Air, which earned him $10,000 and the right to take said same MBA home with him.

Now, here's another example of an exploit that's probably gonna make you sit up and say, "Hmm." Brian Mastenbrook (via MacInTouch) reports that he's found a vulnerability in Safari that allows access to a variety of data:

I have discovered that Apple's Safari browser is vulnerable to an attack that allows a malicious web site to read ... emails, passwords or cookies that could be used to gain access to the user's accounts on some web sites. The vulnerability has been acknowledged by Apple.

According to Miller, this vulnerability affects all OS X 10.5 Leopard + Safari users. Further, Safari for Windows users are also affected.

[Click to through to continue...]

MacBook Air - The Thinnest Notebook



There's a very simple work around, again according to Miller, that obviates the attack vector:

① Open Safari and select Preferences... from the Safari menu.

② Choose the RSS tab from the top of the Preferences window.

③ Click on the Default RSS reader pop-up and select an application other than Safari.

If you don't use Safari, this issue doesn't affect. Moreover, Safari has to running in order for an attack to use this vulnerability.

Get 25 FREE iPodĀ® compatible downloads from eMusic!
Choose from over 4.5-Million songs!