There is a vulnerability here, one reported months ago, but there are no exploits in the wild.
The source of this particular incarnation of the security concern claims that he used this vulnerability to "pwn the target Mac" on the "first day of the last Pwn to Own" competition at CanSecWest but was not allowed to win because the judges ruled it was an already known vulnerability. The rules did state that the exploit had to utilize a new vulnerability, one that had not been reported.
However, there is another problem with this claim... the first day of the contest merely had the target computers sitting running the targeted browsers. In the case of the Mac, the browser was Safari. On that first day, the attempts to compromise the browser could not require the navigation to any specific website. The contest judges have stated that none of the target machines were compromised on the first day.
It was only on the second day—when the attackers could direct the referees to navigate to their prepared sites and click on a link—that Safari fell to Charles Miller's pre-prepared exploit—the one he had been working on for several months—in two seconds.
MacPing!
If you want on or off the Mac Ping List, Freepmail me.
