CanSecWest MacBook Pro challenge exploits Java-enabled browsers, including Firefox

Apple Store“According to Matasano (home base for security researcher Dino Dai Zovi), the announced-but-unreleased web browser exploit that was used to win the CanSecWest MacBook Pro challenge involves browser support for Java. Turn off Java for Safari (or Firefox, or Camino) and your machine is immune,” Michael Rose reports for TUAW.

Full article here.

“The vulnerability affects Firefox as well as Safari,” Matasano Chargen reports.

Full article here.

[Thanks to MacDailyNews Reader “Adam W.” for the heads up.]

MacDailyNews Take: The story clarifies. As it always seems to do after the damage is done in the media (meanwhile, Mac users continue to surf the Web unaffected). So, that’s some Mac OS X “hack,” huh? Ten grand and a MacBook Pro for that? Pfft. We await InfoWorld’s next hysterical headline regarding this developing story with bated breath.

MacDailyNews Note: To protect yourself from this unreleased-in-the-wild, yet extremely over-publicized scourge, in Safari’s Preferences, uncheck “Enable Java” in the “Security” tab. In Firefox’s Preferences, uncheck “Enable Java” in the “Content” tab.

Related articles:
InfoWorld publishes false report on Apple Mac security – April 21, 2007
CanSecWest’s $10,000 ‘Hack a Mac’ challenge relaxes barriers, finds exploitable hole in Safari – April 20, 2007
Apple MacBooks hold strong, remain unhacked after first day of $10,000 ‘Hack a Mac’ challenge – April 20, 2007
CanSecWest sweetens ‘Hack a Mac’ contest pot to $10,000 – April 20, 2007
CanSecWest to hold ‘PWN to OWN’ contest: pits Apple MacBook Pros vs. hackers – March 26, 2007
Microsoft’s oft-delayed, much-pared-down Windows Vista hacked at Black Hat – August 07, 2006
Microsoft publicity stunt asks hackers to attack Windows Vista – August 04, 2006
Apple Mac remains ‘unhacked’ as University of Wisconsin’s Mac OS X Security Challenge ends – March 08, 2006
Mac OS X ‘unhacked’ over 24 hours and counting in genuine security challenge – March 07, 2006


  1. Microdaft fanboys are the world’s best believers in George Orwell’s “doublethink.” In their addled minds Five Years = Six Months, Zune = iPod, and 1 = 100,000. Gawd, how I wish I could think like that sometimes.

  2. Turning off Java will not affect stuff like rollovers, scripted stuff – thats Javascript, which is completely different. Java is used for applets and online Java apps and so on. You should barely notice that it is turned off.

    Magic Word = remember.
    Remember, Java and Javascript are two different, unrelated technologies (loosely used term…)

  3. I have the same question as dergolem. Also, would we have to uncheck “Enable Javascript” as well as “Enable Java” in Safari’s Preferences?

    BTW, The Register published a snarky article called:
    Safari zero-day exploit nets $10,000 prize
    Pwn’d in 12 hours
    By Dan Goodin in Vancouver

    A New York-based security researcher spent less than 12 hours to identify and exploit a zero-day vulnerability in Apple’s Safari browser that allowed him to remotely gain full user rights to the hacked machine…The exploit means that Dino Dai Zovi is the rightful owner of the 2.3Ghz 15-inch MacBook Pro and a $10,000 prize offered by Tipping Point, which runs the Zero Day Initiative bug bounty program… More importantly, his work effectively throws cold water on tired claims from Apple and its many lackeys that the Mac is all but immune from the kind of security attacks more regularly perpetrated against Windows-based machines…The ease Dai Zovi found in pwning the machine was all the more remarkable, given an update Apple pushed out yesterday patching 25 Mac security holes.”

    My understanding was this hack did not allow someone “to remotely gain full user rights” as the article states. Is that correct?

  4. Javascript is called Javascript because when Netscape invented it Java was the hot up-and-coming language that was going to take over the world, and they wanted a buzzword-bingo-esque name for it.

    The two have absolutely nothing to do with each other.


    Safari and Mac OS X should have safeguards against other programs or code doing things they are not supposed to do.

    FYI: Java, and Javascript are not made by Apple.

    With this exploit, just by clicking a link the entire contents of my user folder could be deleted.

  6. What’s REALLY alarming is

    That with Intel based Mac’s, there is a EFI firmware accessable partition on the hard drive that can be accessed by programs to install DRMware, monitorware, drivers etc.

    EFI loads and runs, accesses the internet and downloads EVEN BEFORE THE OS HAS!!!

    So basically the OS is not in charge anymore, it’s what one installs via third party programs.

    Scary huh?

    Look here for info.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.