Full Disclosure mailing list archives
Re: Re: Question about Mac OS X 10.4 Security
From: Paul Schmehl <pauls () utdallas edu>
Date: Wed, 01 Mar 2006 16:20:45 -0600
--On Thursday, March 02, 2006 08:57:18 +1100 mz4ph0d () gmail com wrote:
It doesn't look like it. They seem to have addressed the vulnerability as it applies to Safari, but not the underlying vulnerability. If I send you an email, with a zip attachment (naming and extension is irrelevant), and I can get you to attempt to open the attachment (fairly trivial with many users), I can execute abitrary code on your machine. The only "restriction" is that, if I attempt to execute code that requires admin privileges, I'd have to convince you to type in your password (again, fairly trivial for most users.)Sorry to spoil everyone's fun. <http://docs.info.apple.com/article.html?artnum=303382> Maybe, just maybe, Apple are actually better (able/positioned) to respond quickly to vulnerabilities before the exploits in-the-wild affect more than 50 people? Who knows.
So, Apple hasn't fully addressed this problem yet. (Trust me, I've tested it.) If you are responsible for Macs and you haven't read this yet, you need to:
<http://isc.sans.org/diary.php?storyid=1138&rss> (Don't click the PoC link if you're using a Mac!)
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Question about Mac OS X 10.4 Security Dave Korn (Mar 01)
- Re: Question about Mac OS X 10.4 Security mz4ph0d (Mar 01)
- Re: Re: Question about Mac OS X 10.4 Security Paul Schmehl (Mar 01)
- Re: Re: Question about Mac OS X 10.4 Security mz4ph0d (Mar 01)
- Re: Re: Question about Mac OS X 10.4 Security Paul Schmehl (Mar 01)
- Re: Re: Question about Mac OS X 10.4 Security Dave Korn (Mar 02)
- Re: Re: Question about Mac OS X 10.4 Security Paul Schmehl (Mar 01)
- Re: Question about Mac OS X 10.4 Security mz4ph0d (Mar 01)