Re: [Fed-Talk] Is there any truth to this subject
Re: [Fed-Talk] Is there any truth to this subject
- Subject: Re: [Fed-Talk] Is there any truth to this subject
- From: David Hale <email@hidden>
- Date: Tue, 24 Apr 2007 15:12:26 -0400
On Apr 24, 2007, at 12:43 PM, Billy Lenox wrote:
http://www.matasano.com/log/812/breaking-macbook-vuln-in-quicktime-
affects-win32-apple-code/
I have read this and still don't believe that Apple is to blame. I
think it is JAVA itself.
What do others think about this.
Billy_______________________________________________
Not a statement from Apple but a good review of the situation.
Money Meets Mouth on Mac Exploits
---------------------------------
by Glenn Fleishman <email@hidden>
article link: <http://db.tidbits.com/article/8957>
Two hackers were able to meet a challenge at CanSecWest by gaining
access to one of two fully patched MacBook Pros (one 15-inch, one
17-inch). The computers were updated with the latest security
release from Apple (Security Update 2007-004, released 2007-04-19).
Shane Macaulay and Dino Dai Zovi combined efforts to compromise one
of the Macs. Dai Zovi developed the exploit off-site, relaying it to
Macaulay at the conference. (Other reports indicate that remote
attackers were also eligible, but later reporting seems to
contradict that.)
<http://www.infoworld.com/article/07/04/20/
HNmachackedatconference_1.html>
<http://cansecwest.com/>
<http://docs.info.apple.com/article.html?artnum=305391>
<http://news.zdnet.com/2100-1009_22-6178131.html>
The contest was originally set up to offer attendees a chance to win
either of the two MacBook Pro laptops, but 3Com's TippingPoint
division upped the ante by adding a $10,000 prize after the
challenge started. TippingPoint hasn't yet confirmed that it will
award its prize. The company told ZDNet it needs to determine that
the exploit was previously unknown.
The first challenge originally required the winner to retrieve a
file protected with root permission on the root filesystem. The
organizer planned to change the computers' configuration each day,
adding behaviors like polling a wiki page every five minutes or
checking email.
<http://www.securityfocus.com/archive/142/464216/30/0/threaded>
After TippingPoint put its money on the line and the challenge
progressed to include riskier behavior, the winning exploit
appeared, requiring that a URL received via email was opened using
the default Safari Web browser (relying on user interaction was a
change from the original rules, after no one had been able to break
in previously). However, the exploit wasn't based on Safari's "Open
'safe' files after downloading" preference, as was originally
suspected. According to security researcher Thomas Ptacek, the
attack was based on a flaw in Java, which would affect other Mac
browsers as well; turning off the Enable Java preference in Safari
or other browsers will protect against the vulnerability.
<http://www.matasano.com/log/806/hot-off-the-matasano-sms-queue-
cansec-macbook-challenge-won/>
The malicious page caused Mac OS X to give user-level privileges to
the attacker, if I read the explanation at the conference site
correctly. Dai Zovi told ZDNet he discovered the exploit and
implemented it in about nine hours overnight. The second computer is
still unexploited, and requires that root privileges be obtained.
<http://cansecwest.com/post/
2007-04-20-14:54:00.First_Mac_Hacked_Cancel_Or_Allow>
The contest was apparently designed to tweak Apple for what one
organizer said was its lack of participation in the security
industry. Dragos Ruiu told InfoWorld, "I hear a lot of people
bragging about how easy it is to break into Macs," and this contest
gave them a chance to show their stuff.
3Com's TippingPoint offers bounties via its Zero Day Initiative,
which tries to reward researchers by providing exploits that could
be immediately put to use in a malicious fashion. TippingPoint then
updates its own security software and notifies the affected vendor.
The firm later notifies its competitors, too.
<http://www.zerodayinitiative.com/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden