More on the MacBook Pro browser exploit
If you haven't been following the hack of the Safari Web browser on a MacBook Pro there are some details that you should know.
First, as I reported on Wednesday the attack is not native to the Macintosh. The flaw actually lies in the way Apple's QuickTime Media Player works with the Java programming language, therefore Firefox browsers running on Windows are also vulnerable if the QuickTime plug-in is installed.
Fellow ZD blogger Ryan Naraine has posted an excellent interview with the orchestrator of the attack security researcher Dino Dai Zovi, an excerpt:
I do manual code inspection, that's my primary research tactic. I look at feature sets. I look at the entire attack surface, look in areas of functionality where there were vulnerabilities in the past. I look at the entire attack surface, see what looks dangerous, what looks sketchy. In this case, there was blood in the water so I started looking at something specific and found this one. Then I worked up the exploit from there.
Ryan has also debunked the assertion that the MacBook Pro exploit is "in the wild"
An anonymous blogger claims he/she was able to monitor the network at CanSecWest security conference and snag a full packet capture of the contest...
To which a CanSecWest organizer responded:
Someone may have reverse-engineered the vulnerability but they didn't pull it off the network there.
Daring Fireball's John Gruber has also interviewed Dai Zovi, whose background "is primarily on the "adversarial" or "offensive" side of security testing." Which means that he generally plays the role of "a determined and skilled attacker in order to compromise the security of a network, web application, software application, or operating system."
Although the exploit hasn't been published and it only gains user-level privileges, it still allows an attacker to read, delete, or corrupt anything in your home directory. Until Apple releases a patch for the exploit you'd be well advised to turn off Java in your Web browser.