Security researchers Shane Macauley and Dino Dai Zovi took on a challenge at Canadian security conference CanSecWest to take control of a MacBook with a remote exploit, which they pulled off after Dai Zovi at home in New York found suspect code in how Apple's QuickTime software handled Java. Macauley demoed the exploit, earning him the free MacBook. Dai Zovi snagged $10,000 from the Zero Day Initiative, a controversial program run by 3Com that pays for security vulnerablities, reports them to vendors, and uses the info to protect their clients before an official patch is released.
Security Focus's Robert Lemos tells the tale:
> Reached by phone, Dai Zovi sounded tired. Macaulay had called the former security researcher – now a security manager at a financial firm whose name he was unwilling to disclose – on Thursday night and asked if he had the time to find a flaw that could compromise the fully-patched MacBooks. The deal would be simple: Macaulay would get the MacBook, Dai Zovi the cash.
A Mac Gets Whacked, A Second Survives. Ryan Naraine of Zero Day was on the scene, filing this report and this interview with Dai Zovi.
Photo: Djenan Kozic
The exploit may not be limited just to Apple's Safari browser or even OS X. Firefox on Windows may also be vulnerable. Windows and OS X users are advised to turn off Java if they have Quicktime installed. Alternatively, uninstalling Quicktime should do the trick as well.
