Java-based malware tries Mac-smacking cross-platform attack

I don't get it

If they've convinced you to download an exe file what's the point of using Java? Haven't they already got less restrictive access to the machine via a native executable than they would via a Java application?

pwn2own confusion

Lots of people know OS X fell in pwn2own, few know the extent of what that actually means based on the contest rules.

Execution of code was completed, yes, BUT, only through MANUAL intervention, and only at user code level authority. Code was NOT installed, root or other escalated permissions were not attained, a bot/trojan/virus could not be deployed or left behind, and the server receiving the "tricked" connection to a pre-generated web site (successful phishing attack required first) required the hacker to be online to accept the incoming attack and directly interact with the pwnd machine. They also did not acquire or bypass keychain (though IF you could get code escalated and running on a mac (possible directly, but not yet proven remotely), there was an exploit shown (now patched) to do that.

Remote code installation on OS X has never once been demonstrated, even using now-patched vulns under the assumption a user had not yet installed the patches, that had escalated admin permissions and/or the ability to access secured portions of OS X or the keychain. There are ways proven to compromise a mac, yea, but they are not capable of being automated, and can not self spread, they all require a central server, making therm easy to block and stop, and first the user has to be tricked for that to even be possible. Proof of concepts of defeating one or more layers of security, making assumptions that other barriers can/will be breached, have been shown, and every individual layer of security has been breached, but no hacker or security team has ever shown a complete path to enable that remotely.

More so, if you could get a virus installed on OS X, it would dance in the tray when running, show up in task manager, in general be easy to spot. Really the only viable ways to get an app in here boil down to tricking the user to go to a site, tricking them to download code, tricking them to type their keychain password, even use the mac installer itself, and all this boild down to damned easy to detect with AV software activity.

I'm not suggesting this can;t be done, that OS X can not be compromised, but I am suggesting people get a grip, and understand just what Pwn2Own is, and that the methods used provide very, very low level risks, and simply because a Mac fell does not mean it can be remotely compomised (yet). Also, everything known for pwn2own is handed over, and those vulns patched.

And in this case, it doesn't even appear the Mac cross-code even works... just that yet another coder tried and failed.