Further details on vulnerability in Apple's Safari
Further details of the recently reported vulnerability in Apple's Safari browser have now been released. According to a blog entry from security services provider Matasano Security, who employ Dino Dai Zovi, the discoverer of the vulnerability and winner of the Hack-a-Mac competition, the vulnerability is not in Safari itself, but in Apple's QuickTime media player. The vulnerability apparently results from the way the media player processes Java code. Safari is therefore not necessarily required as an entry point, the attack can also be made via Firefox.
In addition, it is apparently not just Mac OS X users who are affected - Windows PCs are also vulnerable if the user uses Firefox, Java and QuickTime. The only remedy at present is to deactivate Java in the browser. In Firefox for Windows, this setting is found under Tools/Options/Content, in Firefox for Mac under /Firefox/Options/Content and in Safari under Safari/Options/Security.
As part of the Hack-a-Mac "PWN to own" competition at the CanSecWest security conference, Dai Zovi together with Shane Macaulay hacked a fully patched MacBook Pro running Mac OS X 10.4.9 using a prepared website, winning a prize of 10,000 US dollars in the process.
- MacBook Vuln In Quicktime, Affects Win32 Apple Code, blog entry from Matasano Security