Technology news and Jobs arrow Information Technology News arrow Mac vulnerability may also affect Windows
Mac vulnerability may also affect Windows E-mail
by Stephen Withers   
Wednesday, 25 April 2007
More details have emerged about the vulnerability in Mac OS X revealed at the CanSecWest security conference, and things aren't as they originally seemed.

Featured Whitepaper

5 Best Practices for Smartphone Support
It turns out that the vulnerability isn't in Apple's Safari web browser after all, but in the interaction between QuickTime and Java.

That's not an academic issue, as it means that using an alternative browser such as Firefox gives no protection against the exploit. While we are waiting for a fix from Apple, disabling Java in whichever browser you favour seems to be a reasonable precaution. If you need to use a web site that requires Java, decide whether you trust the site before turning it back on, and don't forget to disable it again when you've finished.

The other point is that QuickTime is also installed on a lot of Windows PCs. So it seems likely that the bad quys are trying very hard to replicate Dino Dai Zovi's work, and they'll now be looking very closely at QuickTime and Java, especially on Windows.

One potential problem is that QuickTime and Java could be working as intended, but Dai Zovi has found a way of using a facility in a way that the designers didn't envisage. Such vulnerabilities can be difficult to patch without breaking legitimate software.

Dai Zovi's exploit is an attractive one, as no user interaction is required beyond opening a malicious web page (much like the recent ANI flaw that led Microsoft to release an early patch). Although people are more cautious about clicking on links in emails, it would be easy to plant the URL in blog comments and other places on the web.

People who complain that the CanSecWest competition rules were relaxed when participants were unable to gain access without user activity are missing the point. Sure, the fact that Mac OS X withstood network-based probing is a good thing, but following hyperlinks is an everyday action and people simply don't critically evaluate every link before they click.

In my book, any vulnerability that can be invisibly exploited via a web page calls for prompt attention. Users shouldn't have to wait for 'in the wild' exploits before the risk is taken seriously by the vendor.{moscomment}

Tags See All Tags


Apple  Blog  Browsers  Internet  Macintosh  Malware  Security  Stephen Withers  Windows 
Powered By Joomla Tags

Please enable JavaScript in your browser to post your comment!
 
< Next story in category   Previous story in the category >
iTWire user statistics Visitors last 30 days
 694,279
Subscribers 15,210
#1 independent technology news advertise here
  •   *  
  • Search
  • AdvSeach
  • Login
  • Events
  • FreeStuff

- Advertisement -

Featured Whitepapers

...More

Today on iTWireToday on iTWire

Latest news
Follow iTWire on Twitter

About iTWire

iTWire is all about technology news, information, jobs and community for the IT and telecommunications industry professional. Subscribe to our free ICT daily newsletter

iTWire and you

Contact , Register , Links , About iTWire , Feedback , Post your jobs , Events , iTWire site map , Start Blogging , MyBlogLog page , Advertise with iTWire , Subscribe to SMS headlines , White Papers