| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <E5A8A8407499CBF575756FE7@utd59514.utdallas.edu> Date: Wed Mar 1 22:20:54 2006 From: pauls at utdallas.edu (Paul Schmehl) Subject: Re: Question about Mac OS X 10.4 Security --On Thursday, March 02, 2006 08:57:18 +1100 mz4ph0d@...il.com wrote: > > Sorry to spoil everyone's fun. > <http://docs.info.apple.com/article.html?artnum=303382> > > Maybe, just maybe, Apple are actually better (able/positioned) to > respond quickly to vulnerabilities before the exploits in-the-wild > affect more than 50 people? Who knows. > It doesn't look like it. They seem to have addressed the vulnerability as it applies to Safari, but not the underlying vulnerability. If I send you an email, with a zip attachment (naming and extension is irrelevant), and I can get you to attempt to open the attachment (fairly trivial with many users), I can execute abitrary code on your machine. The only "restriction" is that, if I attempt to execute code that requires admin privileges, I'd have to convince you to type in your password (again, fairly trivial for most users.) So, Apple hasn't fully addressed this problem yet. (Trust me, I've tested it.) If you are responsible for Macs and you haven't read this yet, you need to: <http://isc.sans.org/diary.php?storyid=1138&rss> (Don't click the PoC link if you're using a Mac!) Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/
Powered by blists - more mailing lists