Re: the exploit that wasn't

On Sat, 21 Apr 2007 08:26:17 -0700, Snit <CSMA@xxxxxxxxxxxxxxxxxxxxx>
wrote:

"none" <a@xxxxx> stated in post
a-0AFD0F.08492621042007@xxxxxxxxxxxxxxxxxxxxxxxxxxx on 4/21/07 7:49 AM:

egg on the face of infoworld -

Nancy Gohring, writing for InfoWorld, delivered a misleading report
yesterday on a Mac security exploit contest held at the CanSecWest
conference in Vancouver, BC.

In her defense, it appears likely that Gohring did not write the
headline for her InfoWorld article, which described the contest winner
as being ³able to remotely break into a Mac as part of a contest
designed to illustrate security flaws in OS X.² That part was simply
wrong.

Whoever did write the headline must have been smoking weed in
celebration of 4/20, because Gohring¹s article clearly described a local
exploit. There¹s a big difference between the remote exploits that made
Windows infamous for its insecurity and a local exploit of an
application.

Gohring reported that ³contestants were invited to try to access one of
two Macs through a wireless access point while the Macs had no programs
running. No attackers managed to do so, and so conference organizers
allowed participants to try to get in through the browser by sending
URLs via e-mail.²

Opening an email URL that exposes a security flaw in Safari is both news
to report and a problem for Apple to tackle, but reporting it as a
remote exploit is inaccurate, irresponsible, and sloppy journalism,
particularly for IDG's InfoWorld, which purports to be an authority on
computing.

If the reports are true then this is a big problem for Apple to "tackle".
Allowing a computer to be taken over by merely viewing a web site is not a
small deal... it is the type thing that has hit Windows time and time again
and the far lower risk of this on Macs has always been an advantage. I hope
Apple fixes this very, very quickly.

And what about the others? Recall that this was a FULLY patched
system.
.

Relevant Pages

  • Re: the exploit that wasnt
    ... Nancy Gohring, writing for InfoWorld, delivered a misleading report ... yesterday on a Mac security exploit contest held at the CanSecWest ... two Macs through a wireless access point while the Macs had no programs ...
    (comp.sys.mac.advocacy)
  • RE: what to do it illegal activity found during pen-test
    ... My initial thought was report it to the police ... designated in the contract at the start of the engagement. ... email you encrypt it using the public key of the security contact given to ... managed service can help you: http://www.cenzic.com/news_events/wpappsec.php ...
    (Pen-Test)
  • Portcullis Advisory 05-006 Update, Webseries Payment Application
    ... Portcullis Security Advisory ... Bottomline acknowledge that there is a slight risk of exposure of data ... via unauthorised report generation. ...
    (Bugtraq)
  • Foot and Mouth. The truth for America
    ... Homeland Security released June 20. ... "If DHS believes Plum Island is truly going to be significantly safer, ... foot-and-mouth disease - facts noted in the Homeland Security report. ... The only scenarios described in the report where an outbreak could ...
    (uk.business.agriculture)
  • Malicious Code On Rise: Web Sites Responsible
    ... In the first quarter of 2007, security firm Sophos ... day infected with so-called malware. ... The report was released during InfoSec, ... Sophos reported that 70% of infected websites were legitimate sites ...
    (comp.dcom.telecom)