When CVE-2007-0015 was published by the Month of Apple Bugs team, their exploit used a QTL Quicktime playlist file for triggering the bug. Whether their decision was because of preventing the exploit from being used “en masse” or simply for testing a different, less classic attack vector, it’s still worth noting that it could have worked far more efficiently via Safari, since Quicktime supports embedding playlist files and the Safari process address space would be easily subverted to ensure a higher degree of reliability when executing our payload.

Sometimes it’s good to remember old flaws, and improve old exploit code. Sometimes it’s even better to use new attack vectors on old flaws, too.

Finally we decided that Mephisto wasn’t yet the right solution for us, and until we have time to develop a proper blog engine in place, we are going to keep this going. We are damn busy at the moment, hence why our time for blogging is really limited. But we’ll try to keep interesting news around, stay tuned .

We are sorry about the not-so impressive looking current design, but this is being worked on behind the scenes. Hopefully the design guy will come up with some fresh ideas, he’s still busy working on the corporate site. Although, developing with Rails is never boring (well, just unlikely ).