Defending Against the CanSecWest Mac Exploit: Turn Off Java

Thomas Ptacek has the scoop: Dino Dai Zovi’s winning exploit in the CanSecWest contest involves Java. It is not specific to Safari; Firefox — and, I presume, Camino — are also vulnerable. Turning off Java in your browser should defend against it.

In a comment on Ptacek’s weblog entry, Dai Zovi himself writes:

With any 0day bug, there is a ton of conflicting information in what it is in and what is affected. I obviously don’t want to say too much so as to hint as to where the bug is until a patch is released. I will say that applying slightly paranoid web browser configuration changes will prevent this vulnerability from being exploited.

And no, I have not been sitting on this exploit, I really did find the vulnerability and write the exploit that night. I got lucky. I have spent way more time not finding bugs many other times.

Saturday, 21 April 2007