Security Bytes

Apr 23 2007   11:36AM GMT

Reports of a Safari zero-day

Leigha Leigha Cardwell Profile: Leigha

The Mac faithful are certainly not used to this.

The SANS Internet Storm Center is reporting a possible zero-day exploit involving Apple’s Safari Web browser. You read that right — a zero-day affecting Apple, not Microsoft.

Pedro Bueno, a handler at the storm center, said the report came from the CanSecWest confab in Vancouver. He wrote that a fully patched Mac OS X box “was owned” due to an exploitable flaw in Safari that’s triggered when the user visits a malicious Web site.

The CanSecWest Web site said additional details of the flaw and exploit will be released later. The Mac hack was part of a contest designed to raise awareness of the threats facing Mac users, who tend to see Apple’s OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser.

New Yorker Dino Di Zovie managed to expose the hole, but because the contest was only open to people in attendance at the conference in Vancouver, he sent his findings to a buddy at the conference who then forwarded it on.

3Com’s TippingPoint division offered a $10,000 cash prize as part of the contest, and the company will report the flaw details to Apple.

Unfortunately, the flaw was not addressed in a mega-fix Apple released last week to plug about two dozen security holes.

UPDATE: It turns out that Di Zovien won the contest by exploiting a flaw in Apple’s popular QuickTime media player.

New York consultancy Matasano Security LLC. said in its Matasano Chargen blog that the QuickTime flaw is also a threat to those who use Safari, Firefox and Windows.

Click here to see the full story.

Technorati Tags:

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: