More on the CanSecWest exploit and Java

According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune.

Let's take a moment to note, before frantically shutting down all the garbage mashers on the detention level, that this is an unreleased exploit and there is no expectation of it going wild; it's in the care and feeding of the Zero Day Initiative now and notification to Apple, Sun (Java) and other affected parties will be handled professionally. The only real-world risk is if some clever soul manages to find the same unpublished vulnerability that Dai Zovi did and pairs it with a malicious payload. Personally, I use Java for a couple of work purposes, but I can presumably leave it on in one browser for those specific pages and do my general browsing with another, Java-disabled browser... that is, I would, if I was paranoid.

There are plenty of other ways to improve your Mac security, most listed via this post. Top three: turn on the firewall, run as a normal user, and turn off wireless (at least, turn off automatic connection to open networks). Apple's guide to Tiger security is also available as a PDF here.
Share