By John Gruber
Jiiiii — Free to download, unlock your anime-watching-superpowers today!
Thomas Ptacek has the scoop: Dino Dai Zovi’s winning exploit in the CanSecWest contest involves Java. It is not specific to Safari; Firefox — and, I presume, Camino — are also vulnerable. Turning off Java in your browser should defend against it.
In a comment on Ptacek’s weblog entry, Dai Zovi himself writes:
With any 0day bug, there is a ton of conflicting information in what it is in and what is affected. I obviously don’t want to say too much so as to hint as to where the bug is until a patch is released. I will say that applying slightly paranoid web browser configuration changes will prevent this vulnerability from being exploited.
And no, I have not been sitting on this exploit, I really did find the vulnerability and write the exploit that night. I got lucky. I have spent way more time not finding bugs many other times.
★ Saturday, 21 April 2007