CanSecWest Mac exploit through Java, all browsers vulnerable!
Sorry for the exclamation mark, but more details are emerging about the Mac exploit at CanSecWest that require me to post an update. Contrary to what I thought yesterday, the vulnerability is not in Safari bu in Java. That means all browsers using Java are vulnerable, including Firefox and Camino (which I use myself).
According to Matasano, the only way to protect yourself is by turning off Java in the browser settings. When full details come available, I wonder how fast Apple is gonna fix this. This is one where Apple can really show how it thinks about vulnerability management.
Zero day vulnerability discovered in Safari?
The site of the CanSecWest conference (a Canadian security conference) has announced that the first of the two OS X hacking challenges in their ‘Pwn to Own‘ contest has been won:
One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks. Technical details will be forthcoming as the winner works out the release. There is still one more Mac to go. (the same flaw cannot be used again, but other Safari bugs are allowed).
Matasano has some more details on it. Further details will be coming in soon, but for now it shows that the vulnerability in Safari, so using Firefox or Camino should keep you safe.
TUAW Interview series with Mac developers
The Unofficial Apple Weblog has started a series of interviews with several leading Mac OS X developers to get their thoughts on Leopard, the iPhone and where Apple is headed as a company in light of Mac OS X delays and Apple’s gadgets. The series kicks off with an interview with Brent Simmons, developer of the infamous Netnewswire. One of the things Brent says aligns perfectly with a remark from John Gruber I linked to recently:
I think it’s interesting that people didn’t complain about Apple becoming a gadget company so much when it was just iPods and Airports — but now that Apple is using OS X as the foundation for new devices, people are complaining that it’s not a computers company. The irony is this: because these devices run OS X, they’re not only computers, they’re Macs in disguise.
I cannot emphasize it enough: Apple is not becoming a gadget company, gadgets are becoming computers! Apple lets its gadgets run Mac OS X. But that makes it all the more sad that Leopard was delayed. I find it striking that the first release of OS X that Apple is developing without Avie Tevanian is the first release that does not meet its deadline. Maybe Bertrant Serlet is not as much a ‘delivery king’ as Tevanian was…
Previous Articles
Welcome to How Stof Works
I am Stof and this site is all about how I try to create a clear path through the (potential) chaos of work and private life --and everything I come accross on my way through....
Expect the obligatory Mac nerdery, GTD, gadgets in general but also more specifically things about security.
Of course, I would love to find out what you think as well, so make sure to comment.
See you around!
Now Reading
Mac OS X Internals: A Systems Approach
by Amit Singh
IT Governance
by Peter Weill
Fallen Dragon
by Peter F. Hamilton
View full Library
