Forwarded from: Kurt Seifried <[EMAIL PROTECTED]> To bad apple's software update service is totally insecure (packages are not signed at all, no use of https://, etc.). I was about to relase an advisory on this sometime this week but someone beat me to the punch. If you have a local shell on macosx you can compromise the system trivially, local subnet is pretty easy, across the inet it's doable as well (need to dns poison/arp poison/etc). Apple is no better/worse then the other BSD vendors, same backend, same problems, I don't see them finding and fixing a huge number of holes (i.e. OpenSSH, Apache...etc.).
BTW Apple's update for Apache was ~2 weeks late. Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "InfoSec News" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 08, 2002 5:18 AM Subject: Re: [ISN] Apple: Taking OS X security seriously -- finally > Forwarded from: Richard Forno <[EMAIL PROTECTED]> > > Overall, a good article.....Apple OSX is still one of the more > secure out-of-the-box OSes you can find. Few if any services are > enabled by default, and those that are are easily disabled if > necessary. > > However, the article fails to mention that Apple promptly admits > responsibility when they screw up -- a few months ago Apple released > an update to iTunes, its popular MP3 player - but unknowingly, one > of its developers included in the install script a unix command to > erase a user's data directory!! > > Not only did Apple pull the upgrade from its website immediately, > but within 24 hours a revised installer was posted, along with a > statement admitting it was Apple's fault for causing the problem. > Further, Apple told those that lost data as a result that it would > reimburse them for purchasing disk utilities (eg, Norton stuff) > and/or the price to have a professional restore their data. You'll > never see this level of public responsibility from other, larger > software monopolies. [...] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
