Re: the exploit that wasn't

"none" <a@xxxxx> stated in post
a-0AFD0F.08492621042007@xxxxxxxxxxxxxxxxxxxxxxxxxxx on 4/21/07 7:49 AM:

egg on the face of infoworld -

Nancy Gohring, writing for InfoWorld, delivered a misleading report
yesterday on a Mac security exploit contest held at the CanSecWest
conference in Vancouver, BC.

In her defense, it appears likely that Gohring did not write the
headline for her InfoWorld article, which described the contest winner
as being ³able to remotely break into a Mac as part of a contest
designed to illustrate security flaws in OS X.² That part was simply
wrong.

Whoever did write the headline must have been smoking weed in
celebration of 4/20, because Gohring¹s article clearly described a local
exploit. There¹s a big difference between the remote exploits that made
Windows infamous for its insecurity and a local exploit of an
application.

Gohring reported that ³contestants were invited to try to access one of
two Macs through a wireless access point while the Macs had no programs
running. No attackers managed to do so, and so conference organizers
allowed participants to try to get in through the browser by sending
URLs via e-mail.²

Opening an email URL that exposes a security flaw in Safari is both news
to report and a problem for Apple to tackle, but reporting it as a
remote exploit is inaccurate, irresponsible, and sloppy journalism,
particularly for IDG's InfoWorld, which purports to be an authority on
computing.

If the reports are true then this is a big problem for Apple to "tackle".
Allowing a computer to be taken over by merely viewing a web site is not a
small deal... it is the type thing that has hit Windows time and time again
and the far lower risk of this on Macs has always been an advantage. I hope
Apple fixes this very, very quickly.


--
? A partial subset is not synonymous with the whole
? A person's actions speak more about him than what others say
? Apple doesn't provide as many options as the rest of the PC industry



.

Relevant Pages

  • Re: the exploit that wasnt
    ... Nancy Gohring, writing for InfoWorld, delivered a misleading report ... yesterday on a Mac security exploit contest held at the CanSecWest ... two Macs through a wireless access point while the Macs had no programs ...
    (comp.sys.mac.advocacy)
  • [Full-disclosure] [ MDVSA-2010:070 ] firefox
    ... Security issues were identified and fixed in firefox: ... Security researcher regenrecht reported (via TippingPoint's Zero Day ... opted to provide the latest 3.6.3 version for Mandriva Linux ... If you want to report vulnerabilities, ...
    (Full-Disclosure)
  • [ MDVSA-2010:070 ] firefox
    ... Security issues were identified and fixed in firefox: ... Security researcher regenrecht reported (via TippingPoint's Zero Day ... opted to provide the latest 3.6.3 version for Mandriva Linux ... If you want to report vulnerabilities, ...
    (Bugtraq)
  • [Full-disclosure] [ MDVSA-2010:070-1 ] firefox
    ... Security issues were identified and fixed in firefox: ... Security researcher regenrecht reported (via TippingPoint's Zero Day ... Since firefox-3.0.19 is the last 3.0.x release Mandriva ... If you want to report vulnerabilities, ...
    (Full-Disclosure)
  • [ MDVSA-2010:070-1 ] firefox
    ... Security issues were identified and fixed in firefox: ... Security researcher regenrecht reported (via TippingPoint's Zero Day ... Since firefox-3.0.19 is the last 3.0.x release Mandriva ... If you want to report vulnerabilities, ...
    (Bugtraq)