SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Apple Safari Vulnerability

Posted on June 9, 2009

XXE attack – Local File Theft Vulnerability

Posted: June 9th, 2009
Updated: June 15th, 2009

Security Risk: Moderate

UPDATE: Today Apple released Java for Mac OS X 10.5 Update 4, which is an update that appears to correct the Java vulnerability reported by SecureMac last month. The update requires OS X 10.5.7 or higher. More information can be found at:

Safari prior to version 4 (released June 8th, 2009) may permit malicious web pages to steal files from the local system simply by accessing a web page without further interaction. This vulnerability is present in both Mac OS X and Windows Safari. The attack is accomplished by mounting an XXE attack against the parsing of the XSL XML.

Chris Evans has documented this vulnerability in his advisory on his website

Safari 4 is now available for download for both Windows and Macintosh systems. Suggested to upgrade or to use an alternative browser such as Firefox.

Join our mailing list for the latest security news and deals