CanSec Macbook Challenge Won, Exploiting Flaw in Safari

The CanSecWest weblog reports:

One OSX box has been owned! At this point all we can say is there is an exploitable flaw in Safari which can be triggered within a malicious web page. Of course all of the latest security patches have been applied. This one is 0day folks.

Makes me wonder whether it’s another exploit against Safari’s on-by-default “Open ‘Safe’ Files” preference. Update: A good source says it’s not “Open ‘Safe’ Files”. My next guess is that it’s a pseudo-URL protocol handler.

Thomas Ptacek confirms that the winners are Shane MacCauley and Dino Dai Zovi.

Friday, 20 April 2007