Serious security vulnerability in Safari web browser reported

An open source software engineer with a history of uncovering flaws in Mac OS X, claims to have uncovered a security vulnerability in Apple’s web browser Safari, affecting both Windows and Apple Mac users.

Brian Mastenbrook has blogged that a serious vulnerability in the way that Safari handles RSS feeds could be abused by hackers to gain access to any file on your hard drive.

It’s important to realise that at the moment there is no reason to believe that the vulnerability is being exploited in the wild. Given Mastenbrook’s track record at finding flaws it would seem sensible to take his warning seriously, and he reports that Apple has acknowledged the existence of the vulnerability to him.

Sign up to our free newsletter.
Security news, advice, and tips.

Mastenbrook offers a simple workaround for Apple Mac users – he says they should select a different feed reader in their preferences:

  1. Open Safari and select Preferences… from the Safari menu.
  2. Choose the RSS tab from the top of the Preferences window.
  3. Click on the Default RSS reader pop-up and select an application other than Safari.

Life isn’t so easy for users of Safari on Windows, however. Mastenbrook advises that Windows users choose an alternative browser until Apple issues a fix for the vulnerability.

Vulnerabilities in web browsers shouldn’t, of course, be taken lightly. The recently published Sophos Security Threat Report revealed the increasing use of the web by cybercriminals to steal money and take over poorly secured computers.

UPDATE: Mastenbrook has now blogged that his workaround for Apple Mac users is not effective. Please visit his blog for more information.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.