Intevydis, a security research firm, has released to its customers a very effective zero-Day which can be used to exploit a buffer overflow in Firefox 3.6. It is unclear if the exploit affects Mac OSX and it has not been made public yet. Usually if an exploit is found for a framework you can rest assure that other criminal elements will find out all then can about it and try to duplicate it or chain it within their own methods.

If the recent attacks against Google, Intel and other companies clearly demonstrates that attackers effectively leverage various exploits in a chain to defeat security. Each packet sent in an attack is a resource, an effective attacker goal is to develop a process that leverages the least amount of resources against the least resistant target. To counter this the security professional has to engineer a system that layers defenses to increase the cost of resources to the attacker to the point that they will move on. It is important to keep that in mind when zero-Day exploits are announced but not released. Yes they are dangerous but a layered defense can make the cost to high for the criminal of opportunity.

Mac administrators and users should never perform web surfing as an administrator account. Run No-Script, Click to Flash, Flash Block and set Preview.app to open PDF files. Also make sure that you only open files from trusted sources that presents evidence to validate that trust. For example use email with PGP to confirm the identity of the sender. Passwords should be complex, never shared, never used across systems, especially public systems and change at least every 2 months.

(Please note all cool buzz names have been removed, I have had too many meetings using buzz topics the last couple of months. I hoped at one time Web 2.0 would die and still people use it without knowing it was created to describe a host of technologies, no one writes Web 2.0 code. Sorry about the side bar but after reading "The Four Forces Shaping Cyber Security by William W. Agresti in IEEE Computer magazine which states that we should now use the term CyberSecurity exclusively to allow the public to get a better understanding. I am in the camp that Cyber anything is a bad idea but what do I know.)