Hello SC-Lers, I saw this blog and thought it may be of interest here:
http://blogs.zdnet.com/security/?p=2861According to the blog, there's a design issue (read: flaw) in iTunes that can allow a maliciously formed podcast to cause a user to get prompted for a username/password -- to iTunes itself. That dialog box can then be hijacked and the victim's credentials stolen.
What made it interesting to me was a couple things: first, the cited advisory from Apple (http://support.apple.com/kb/HT3487) clearly says it's a design issue. Tells me we're not likely to see a real fix for a while, IMHO. Indeed, Apple's initial "fix" to this design issue is, "This update addresses the issue by clarifying the origin of the authentication request in the dialog." That doesn't sound like much of a fix at all, and I'd expect a lot of users will still fall for the dialog box ruse. Sigh...
Cheers, Ken ----- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
