John Gruber has posted an e-mail interview of Dino Dai Zovi, the hacker who cracked a Mac at CanSecWest. He exploited a Java-based vulnerability in QuickTime, which he says is accessible via Firefox (including the Windows version) and Safari.
From the interview:
Gruber: I suspect some people might read this and think it’s good news that your exploit “only” gains user-level privileges. But an exploit like this is potentially catastrophic in the hands of an attacker. With user-level privileges, an exploit can read, delete, or corrupt anything in the user’s home directory – more or less all of the user’s own data. Technically, root exploits are harder and more powerful, but practically speaking, user-level privileges are all that an attacker needs. Correct?
Dai Zovi: A remote root exploit is typically much harder to come by than a remote user privilege exploit. However, in general, local user to root exploits are simpler to find than remote user-privilege exploits. So, in general, it is reasonable to assume that once an attacker has local user access to a system, root is not difficult to obtain. One should also point out, that if the user privileges are an admin user, it is possible to write to /Applications/ and /Library/, and this access is quite damaging. On a (primarily) single-user machine like a laptop or desktop, even non-admin user-level privileges are enough for most attacks (reading data, corrupting running applications, etc).
Nobody should run an operating system as a single-user-only, nor should any OS be used that doesn’t have at least two levels of permissions (root/admin and user) to minimize harm to the entire system. This is one of the real shortcomings of Haiku (as it now exists) and one of the reasons I compared it to Windows95 earlier this week — it’s not a trivial matter if anyone can make system-wide changes by obtaining access locally or remotely.