pwn2own Confirmation: 0day in Safari

Windows users with iTunes beware! Apple has opted you in to install their vulnerable Safari browser on your computer with iTunes updates. You must click the Safari update box off before updating iTunes if you don’t want to install Safari.

PWN to OWN Day Two: First Winner Emerges!:

They were able to exploit a brand new 0day vulnerability in Apple’s Safari web browser. Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service. The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue.

So if you update iTunes and install Safari, you’re getting this exploitable code on your computer.

I may have more information about the nature of the exploit tomorrow. :-)

EDIT/UPDATES:

  1. The exploit Charlie Miller used to win the coveted Macbook Err involved a telnet exploit via privilege escalation from a malformed/malicious link. Reportedly. We’ll find out when Apple gets around to fixing it. Which brings me to another point…
  2. Before anyone dismisses my objections to Apple’s requirement that users opt-out of installing Safari when updating iTunes, look at Secunia’s new advisory. Note that it’s highly critical. Safari is buggy and vulnerable in OSX. It’s even worse in Windows.
Advertisements

One Response to “pwn2own Confirmation: 0day in Safari”

  1. bandoche Says:

    i want to translate this page on my blog and i want to know if i can.

    REPLY: Yes, of course.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: