More on the MacBook Pro browser exploit

Summary:If you haven't been following the hack of the Safari Web browser on a MacBook Pro there are some details that you should know.First, as I reported on Wednesday the attack is not native to the Macintosh.

If you haven't been following the hack of the Safari Web browser on a MacBook Pro there are some details that you should know.

First, as I reported on Wednesday the attack is not native to the Macintosh. The flaw actually lies in the way Apple's QuickTime Media Player works with the Java programming language, therefore Firefox browsers running on Windows are also vulnerable if the QuickTime plug-in is installed.

Fellow ZD blogger Ryan Naraine has posted an excellent interview with the orchestrator of the attack security researcher Dino Dai Zovi, an excerpt:

I do manual code inspection, that's my primary research tactic.   I look at feature sets. I look at the entire attack surface, look in areas of functionality where there were vulnerabilities in the past.  I look at the entire attack surface, see what looks dangerous, what looks sketchy.  In this case, there was blood in the water so I started looking at something specific and found this one.  Then I worked up the exploit from there.

Ryan has also debunked the assertion that the MacBook Pro exploit is "in the wild" 

An anonymous blogger claims he/she was able to monitor the network at CanSecWest security conference and snag a full packet capture of the contest...

To which a CanSecWest organizer responded:

Someone may have reverse-engineered the vulnerability but they didn't pull it off the network there.

Daring Fireball's John Gruber has also interviewed Dai Zovi, whose background "is primarily on the "adversarial" or "offensive" side of security testing." Which means that he generally plays the role of "a determined and skilled attacker in order to compromise the security of a network, web application, software application, or operating system."

Although the exploit hasn't been published and it only gains user-level privileges, it still allows an attacker to read, delete, or corrupt anything in your home directory. Until Apple releases a patch for the exploit you'd be well advised to turn off Java in your Web browser.

Topics: Apple, Browser, Hardware, Networking, Security

About

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.