ZD Net's Ryan Naraine has a short but interesting interview with Dino Dai Zovi, formerly of Matasano Security, who used a Safari browser insecurity to hack a MacBook via a website at the recent CanSecWest conference in Vancouver, Canada. With his friend Shane Macaulay, he won $10,000 and the hacked MacBook. Key points:
What can you divulge about this specific vulnerability?
I have to be careful because this is still unpatched and ZDI [Tipping Point's Zero Day Initiative] owns the exclusive rights to all the information. The most I can say is that running Web browsers in hardened configuration would prevent this vulnerability from being exploited.
Turn off all unnecessary browser features such as extra plug-ins, JavaScript and Java.
There was very little user action involved. Once the browser opened to a Web page that the attacker controlled, it was game over.
What took longer? Finding the vulnerability or writing the exploit?
That's a good question. I think it was about the same. I remember calling Shane around 3:00 a.m. Eastern, saying that I have something that might be exploitable. That took about five hours. It took another four hours or so to write a reliable exploit that would work on a default Mac OS X installation. I got really lucky in this case. Sometimes you'll find something within an hour, and sometimes you can spend several days or several weeks looking and find nothing.
