Thomas Ptacek has the scoop: Dino Dai Zovi’s winning exploit in the CanSecWest contest involves Java. It is not specific to Safari; Firefox — and, I presume, Camino — are also vulnerable. Turning off Java in your browser should defend against it.
In a comment on Ptacek’s weblog entry, Dai Zovi himself writes:
With any 0day bug, there is a ton of conflicting information in
what it is in and what is affected. I obviously don’t want to say
too much so as to hint as to where the bug is until a patch is
released. I will say that applying slightly paranoid web browser
configuration changes will prevent this vulnerability from being
And no, I have not been sitting on this exploit, I really did find
the vulnerability and write the exploit that night. I got lucky.
I have spent way more time not finding bugs many other times.
★ Saturday, 21 April 2007