So by now you have probably heard about the MacBook Pro that was compromised at CanSecWest last Friday. Here is a quick recap if you missed it. A MacBook Pro with all updates applied on a wireless network, if you can break in you win the laptop. Well, after two days no one broke in so the rules where relaxed a little and the MacBooks where allowed to surf to malicious webpages. You can read more details here, here, here, here, here, and probably a few dozen other places.
The hype on this is pretty amazing considering that this really isn’t that big of a hack. This sort of things happens on Windows platforms on a almost daily basis. Yes, its zero day but other than that so what? Lets take a look at the actual exploit, or at least as much as we can piece together from the various ‘news’ outlets. First you need to convince a user to visit your malicious web page with Safari (no mention if Firefox or other browsers are immune) which depending on who you are convincing may or may not be that hard. Then even after you get your code installed installed on the victim your only granted user level access. Your still not root. Granted your a big step closer to getting root but you are still mired in userland.
So yes, this is a valid hole that should be repaired as soon as possible but it doesn’t warrent anywhere near as much press as it has been garnering.