The company is relying on the fact that user interaction is required to exploit the flaw
Security researchers from Rapid7 have identified a vulnerability in the Safari web browser that could be exploited by cybercriminals for a number of malicious tasks. However, Apple doesn’t plan on fixing the issue because the attack requires user interaction.The flaw in question, a Universal cross-site scripting (UXSS) issue, plagues the security model behind the .webarchive file format – used to save all the resources from a webpage into a single file.
For the attack to work, the cybercriminal must send victims a maliciously crafted webarchive file and convince them to manually open it.
Apple relies on the fact that users are presented with a warning which informs them that the “content was downloaded from a webpage,” before they open the file.
On the other hand, experts say that “this is a potentially dangerous decision,” especially since there are numerous attack vectors.
Since there’s no fix for the issue, Rapid7 advises users to avoid opening .webarchive files.