The Mac faithful are certainly not used to this.
The SANS Internet Storm Center is reporting a possible zero-day exploit involving Apple’s Safari Web browser. You read that right — a zero-day affecting Apple, not Microsoft.
Pedro Bueno, a handler at the storm center, said the report came from the CanSecWest confab in Vancouver. He wrote that a fully patched Mac OS X box “was owned” due to an exploitable flaw in Safari that’s triggered when the user visits a malicious Web site.
The CanSecWest Web site said additional details of the flaw and exploit will be released later. The Mac hack was part of a contest designed to raise awareness of the threats facing Mac users, who tend to see Apple’s OS as a more secure alternative to Microsoft Windows and its much-attacked Internet Explorer browser.
New Yorker Dino Di Zovie managed to expose the hole, but because the contest was only open to people in attendance at the conference in Vancouver, he sent his findings to a buddy at the conference who then forwarded it on.
3Com’s TippingPoint division offered a $10,000 cash prize as part of the contest, and the company will report the flaw details to Apple.
Unfortunately, the flaw was not addressed in a mega-fix Apple released last week to plug about two dozen security holes.
UPDATE: It turns out that Di Zovien won the contest by exploiting a flaw in Apple’s popular QuickTime media player.
New York consultancy Matasano Security LLC. said in its Matasano Chargen blog that the QuickTime flaw is also a threat to those who use Safari, Firefox and Windows.
Click here to see the full story.
Technorati Tags: MAC+OS+X+Security