Re: Mac Hack

On Fri, 20 Apr 2007 21:15:49 -0600, none <a@xxxxx> wrote:

PC Guy <pcguy@xxxxxxxxxxx> wrote:

"Dai Zovi, who has previously been credited by Apple for finding flaws
in Mac software, found the Safari vulnerability and wrote the exploit
overnight in about 9 hours, he said."


So much for Mac security. What a myth.


Tom Elam

But dude!!!! "It's not in the Wild!!!!" LOL, whatever that mean... not in
the wild. Hysterical!

Not the point.

It is if your a Mactard trying to spin yet another exploit away.

Nine hours to write a Safari exploit on a fully
patched machine. Trivial.

More, from The Register:

"The exploit means that Dino Dai Zovi is the rightful owner of the
2.3Ghz 15-inch MacBook Pro and a $10,000 prize offered by Tipping
Point, which runs the Zero Day Initiative bug bounty program. More
importantly, his work effectively throws cold water on tired claims
from Apple and its many lackeys that the Mac is all but immune from
the kind of security attacks more regularly perpetrated against
Windows-based machines.

Dai Zovi, who is not attending the conference, was recruited on
Thursday night by Shane Macaulay, a friend and conference attendee.
The ease Dai Zovi found in pwning the machine was all the more
remarkable, given an update Apple pushed out yesterday patching 25 Mac
security holes. Macaulay described Dai Zovi's vulnerability as a
client-side javascript error that executed arbitrary code when Safari
visited a booby-trapped website."

still requires full access to the machine,

As has every Windows vulnerability since SP2 was released. A default
Windows XP system just sitting there with no user interaction will not
be compromised either.

so it's not really an exploit, plus it has to use Safari which isn't part of the OS. try again!

Then neither are the exploits for Windows XP since summer of 2003. And
I think it will be little consolation to someone who has had their
identity stolen to know that it wasn't the OS that failed them.
.

Relevant Pages

  • Re: Mac OS X Server
    ... Security Updates ... Information on obtaining Mac OS X can be found on the Mac OS X website ... Information on obtaining Mac OS X Server can be found on the Mac OS X ... vulnerability and does not obtain a CVE ID. ...
    (Pen-Test)
  • [Full-disclosure] [MU-200611-01] Pre-Authentication Vulnerability in Mac OSX kernel
    ... Mac OS X Server v10.3.9 ... Vulnerability Details: ... first message in a PPPoE link establishment and requires no credentials. ... All users of PPPoE on OS X are recommended to immediately apply the security ...
    (Full-Disclosure)
  • Re: Help With School Report: Are Macs Safer Than PCs From Viruses?
    ... Most sources say that this is because of the difference in security models of the systems concerned. ... No such vulnerability has been shown with the Mac version because no one has taken the root kit apart on the Mac version to the degree that Mark Russonovich did for the PC version. ... The market share of Linux says nothing about the security of OS/X. ... Apple started producing Safari. ...
    (comp.sys.mac.advocacy)
  • Re: Mac Hack
    ... So much for Mac security. ... Nine hours to write a Safari exploit on a fully ... given an update Apple pushed out yesterday patching 25 Mac ...
    (comp.sys.mac.advocacy)
  • Re: Mac Hack
    ... So much for Mac security. ... Nine hours to write a Safari exploit on a fully ... "The exploit means that Dino Dai Zovi is the rightful owner of the ...
    (comp.sys.mac.advocacy)
Loading