tag:blogger.com,1999:blog-5554915078212081470.post7193726225892631394..comments2023-07-31T04:22:23.114-05:00Comments on HiR Information Report: Mac OS X: Pwned in two minutes flat - CanSecWestAx0nhttp://www.blogger.com/profile/12145109647562469601noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-5554915078212081470.post-24813796400091383152008-03-30T17:47:00.000-05:002008-03-30T17:47:00.000-05:00Recent changes made to WebKit suggest that the exp...Recent changes made to WebKit suggest that the exploit was likely related to a PCRE component of Safari.<BR/><BR/>http://digg.com/apple/Details_of_CanSecWest_winning_Safari_exploitAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5554915078212081470.post-50045824307693835152008-03-30T13:43:00.000-05:002008-03-30T13:43:00.000-05:00Straight from the horses mouth: http://dvlabs.tipp...Straight from the horses mouth: <BR/>http://dvlabs.tippingpoint.com/blog/2008/03/27/day-two-of-cansecwest-pwn-to-own---we-have-our-first-official-winner-with-picture<BR/><BR/>Quick time was to blame last year:<BR/>http://www.theregister.co.uk/2007/04/25/quicktime_vuln_fells_mac/<BR/><BR/>This was classified as use of OS applications (safari, mail …etc) which allows for a user on the workstation to navigate to a web page with exploit code in it.<BR/>It passed the 3rd party apps and Pre-Auth attacks fairly well. They havn’t published the details yet on the vulnerability so we wont know whats really to blame until apple releases the patch.<BR/><BR/>As a Mac user am I disappointed? Yes, because Safari was designed similar in concept to IE, it uses undocumented OS API calls for acceleration. Firefox isn’t all great either but when found they usually do a good job about releasing a timely update to fix the vulnerabilities. <BR/><BR/>This really isn’t any more a news item than "OMG sharks eating people !?" in my opinion. BTW Ubuntu and Windows both got 0wned too.Joel Kershnerhttps://www.blogger.com/profile/06555078551359105805noreply@blogger.com