Charlie Miller to reveal 20 zero day security holes in Mac OS X
100% of which will require having physical access to the computer and a local account to login to. They usually leave that factoid out until they show them off.
Not true.
This is the same guy as the last few years, and all previous reports used words to the effect: • The MacBook was able to withstand external network attacks. but then later on... • [ . . . ] with the interaction of a userwho surfed to a specially crafted website.
Sorry but, that's not physical access in the sense that the term "physical access" is normally used. If simply visiting a webpage page can infect a computer, then that's a serious problem (imho). Trying to lump that sort of weakness under "physical access" is a prevarication.
Security researcher Charlie Miller, in a repeat performance of last year, used a prepared exploit to crack the Safari web browser on a MacBook running the latest version of Mac OS X, in a matter of seconds. The exploit won him $5,000 and the MacBook. According to CNet Miller said that he used a security hole which he discovered last year that allows a remote attacker to gain control of a machine when a user visits a malicious URL. Last year Miller also cracked Safari in a few minutes and won a MacBook Air and $10,000 in prize money.
Of three laptops to be hacked, a MacBook Air with Mac OS X 10.5.2 was the first to fall victim to crack attempts of participants in the PWN to OWN contest at CanSecWest. The laptops running Windows Vista SP1 and Ubuntu 7.10 remain uncompromised. According to information provided by organisers of the TippingPoint competition, Charlie Miller, Jake Honoroff and Mark Daniel of security service provider Independent Security Evaluator were able to take control of the machine through a hole in the Safari web browser. The vulnerability has supposedly not yet been made public and is still under wraps until Apple is able to provide a patch. In addition to $10,000 prize money, the winners also get to keep the MacBook as a bonus.
As part of the Hack-a-Mac "PWN to own" competition at the CanSecWest security conference, two competitors succeeded in hacking a fully patched MacBook Pro running Mac OS X 10.4.9. They did not, however, penetrate the computer directly, rather they exploited a vulnerability in Apple's Safari web browser. On visiting a website prepared by the hackers, malicious code was injected onto the MacBook and executed with user privileges.
Originally Posted By: Virtual1
When someone comes up with a network exploit, I'll pay more attention.
Well the local ones are no party either, especially if they give admin->root escalation. Because that's the first place a hacker will head, once they poke through one of these little backdoors in Safari.
But don't worry, i'll keep you posted from now on.
