On Dec 20, 2006, at 10:54 AM, jot wrote:

>
>> Coming to a Mac near you in January...
>
> It's coming, but whether it's coming to a Mac near me is questionable.
>
> My guess is that each "bug" will involve at least one of the
> following IFs:
>
> 1. User must be tricked into clicking a URL
> 2. User must be tricked into opening a malicious file
> 3. User must have a specific poor configuration on their system
> (such as those Dave mentioned)
>
> If that is the case, then the threat does not change for Mac users.
> There are already exploits available to attack those with such
> vulnerabilities.

Well, I imagine that many of these vulnerabilities will require what
you've mentioned as an initial vector, which immediately puts these
into a pretty uninteresting category for me. I'd also imagine there
will be a couple of doozies in there. But again, probably nothing
that is exploitable from remote, much less on a default configuration
of a Mac OS X system. What I would be interested to see is *any*
vulnerability that could be used from remote, on stock services (when
enabled, of course) on Mac OS X/Mac OS X Server. Of course, these
days, attacks via trojans and social engineering are indeed getting
more important. When someone runs code on the local machine, it's
over. But closing mechanisms via which this could be more easily
taken advantage of, via shortcomings in components that ship with Mac
OS X (as I imagine some of these things will be), is a good thing.

Even though I disagree with the mechanism of disclosure (e.g., widely
disclosing without informing the vendor first), in a way, this is a
very good thing, because it means that Mac OS X is interesting enough
to warrant a "Month of XYZ" type of thing, probably revealing many as-
yet-unknown issues in Mac OS X specifically, some of which no doubt
can be used for local privilege escalation - which, in conjunction
with a vulnerable webapp or weak ssh password, could be very serious.
Getting these fixed instead of having them linger out there in the
hands of only malicious entities is a net positive.

- Dave0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?,0?ô0?] 
DM0
 *?H?÷


0S10 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷



0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??

£?0?0U

ÿ
?0U?RRbG,k,
¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0U

ÿ0

ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷


%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z??d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?00?? 

0
 *?H?÷


0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
060921213052Z
070921213052Z0¾10 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!UFaculty - Staff - Students10UDavid Schroeder1 0 *?H?÷


das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷



0????èöÆ?³G¡J[¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹

£p0n0U

ÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,
¸iñ©7,#$0
 *?H?÷


¯?Ïè®`:ÍDD?¼7µ(?AÞÈæZ_?Ù
xmæÀ!ÖÓr?óÌ~X²8Ưâ"ô0%¶Â¸:Â!Í?ü?KË
CÏ?6õëÒ?5Ѭ?
:Ñat¡q"ٝöï­ÍA???±},ߪ&KÐ]9ev¬ëgxDEåð·Ë1?â0?Þ

00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0 + ?
§0 *?H?÷

1 *?H?÷


0 *?H?÷

1
061220171221Z0# *?H?÷

1»ÃѶ./fØßد_O?6tÈ:0¡ +

?71?00?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0£*?H?÷

1? 0?10 UUS1+0)U
"Division of Information Technology1#0!UFaculty - Staff - Students1(0&UUniversity of Wisconsin-Madison
0
 *?H?÷



?C?'????¥ëu/ÚÖ́.í?Ey!Ó=n
o?TO;k䫐{k*VlV¢¿Ç]¿0LÿAÎw?¸Öþ?}î2Éaâ9z?Î?|új?¾:i?tñ~µå[?úÀÂL?<½Ô
?ñ£ÀÀ¼EEÛ\¡?I¿í ø????%

[ reply ]