AmesMUG: News: MacBook Pro hijacked with Safari zero-day

[Colin Wheeler]

I think your description is a bit deceptive. It implies it only took 2
days for someone to crack into a MacBook, which if you read the
article says they had to keep raising the bounty and relax the rules
to provide enough incentive for someone to finally crack it. That said
im not delusional and don't believe that any OS is invulnerable, but i
have yet to see a Mac OS X Exploit running in the wild

As I understand this from reading the article the rules originally
called for gaining shell access to the MacBook which was connected to
a router or getting root access not using the same exploit as the
first bug.

Evidently nobody was interested so 3Com added a $10,000 bounty

Then they relaxed the rules and allowed the MacBook to visit webpages
visited through Mail.

Still this article doesn't spell out many critical details. Was the
account and Admin or just a regular account? If your not admin then
there isn't much you can do and this bug wouldn't get very far. Was
Safari allowed to automatically open attachments? In which case again
this bug depends on a setting which most people should change anyway.
Thirdly the bug depends on social engineering.

So we've got a Safari bug (not a Mac OS X exploit) that requires that
users actually bother to read your e-mail and click on a link to a
website and have their default browser set to Safari then (presumably
because we don't know if they are running under admin or not and
wether or not they have auto open files turned on) they have a
compromised machine that has user level (ie no root level) access
turned on. Plus how many Firefox & IE exploits along this line have
there been? a lot.

Interestingly too (not that im smelling crap) but the event was
sponsored by Microsoft.

I wouldn't worry about this as it only exploits macs which are a
fraction of the market and then requires social engineering which will
only get you a small fraction of that fraction. Even with that you
only have user level access which won't get you very far.

Now have someone pwn (by that I mean gain root level access) a Mac OS
X System that's fully up to date on a non-admin account without
relaxing the rules and then i'll be impressed. It doesn't matter what
OS your on, being secure means thinking before you click.

>From Colin Wheeler

On 4/21/07, Hari Wiguna <hwiguna at gmail.com> wrote:
> Lured by a free MacBook Pro and $10,000 prize, someone hacked a fully
> patched MacBook Pro in two days.
>
> http://blogs.zdnet.com/security/?p=174
>
>
> ___________________________________________________________________
>
> Send AmesMUG mailing list submissions to amesmug at amesmug.org.
>
> List archives sorted by posting date and thread are available on
> the web at http://www.amesmug.org/pipermail/amesmug.
>
> To subscribe, unsubscribe, or change your digest/non-digest
> preferences for the Ames Macintosh Users Group
> e-mail list, please visit http://www.amesmug.org/lists/.
>
> Please send any feedback you may have to amesmug-owner at amesmug.org.
>


--