A potentially significant and somewhat difficult security flaw in Safari, for both Mac (10.5 only) and Windows, has surfaced. Originally it was believed that there was a simple workaround, but now that workaround is in question.

Programmer and security-flaw-discoverer Brian Mastenbrook posted a warning about the flaw over the weekend. The flaw, he claims, could reveal any file on your system to an attacker, if you browse to a malicious Web site. Although any statement of such a serious flaw needs to be questioned, the poster does have a track record in this area. Also, security expert Rich Mogull states on the TidBITS Web site that “We have strong indications that the problem is real,” so it certainly should be taken seriously.

Unfortunately the original workaround, still listed on the TidBITS Web site, is now claimed to be insufficient by Mr. Mastenbrook. Whether he’s being overly conservative (and overly aggressive in his initial warnings) is unknown. Unfortunately the replacement workaround now listed is complex enough that it might well lessen, rather than increase security, so you may not want to implement it.

The flaw itself involves RSS, Really Simple Syndication. The initial workaround was just to turn RSS reading off in Safari, by setting another application to read RSS (via Safari Preferences). You should at minimum do this until Apple comes out with a fix or another simple workaround is discovered. You should also be very wary of any site that you don’t know well that includes RSS. Just in case. Better safe than sorry.