It turns out that the vulnerability isn't in Apple's Safari web browser after all, but in the interaction between QuickTime and Java.That's not an academic issue, as it means that using an alternative browser such as Firefox gives no protection against the exploit. While we are waiting for a fix from Apple, disabling Java in whichever browser you favour seems to be a reasonable precaution. If you need to use a web site that requires Java, decide whether you trust the site before turning it back on, and don't forget to disable it again when you've finished.The other point is that QuickTime is also installed on a lot of Windows PCs. So it seems likely that the bad quys are trying very hard to replicate Dino Dai Zovi's work, and they'll now be looking very closely at QuickTime and Java, especially on Windows.One potential problem is that QuickTime and Java could be working as intended, but Dai Zovi has found a way of using a facility in a way that the designers didn't envisage. Such vulnerabilities can be difficult to patch without breaking legitimate software.Dai Zovi's exploit is an attractive one, as no user interaction is required beyond opening a malicious web page (much like the recent ANI flaw that led Microsoft to release an early patch). Although people are more cautious about clicking on links in emails, it would be easy to plant the URL in blog comments and other places on the web.People who complain that the CanSecWest competition rules were relaxed when participants were unable to gain access without user activity are missing the point. Sure, the fact that Mac OS X withstood network-based probing is a good thing, but following hyperlinks is an everyday action and people simply don't critically evaluate every link before they click.In my book, any vulnerability that can be invisibly exploited via a web page calls for prompt attention. Users shouldn't have to wait for 'in the wild' exploits before the risk is taken seriously by the vendor.
Article Written by: Stephen Withers
Tuesday, April 24, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment