Hello SC-Lers,
I saw this blog and thought it may be of interest here:
http://blogs.zdnet.com/security/?p=2861
According to the blog, there's a design issue (read: flaw) in iTunes
that can allow a maliciously formed podcast to cause a user to get
prompted for a username/password -- to iTunes itself. That dialog box
can then be hijacked and the victim's credentials stolen.
What made it interesting to me was a couple things: first, the cited
advisory from Apple (http://support.apple.com/kb/HT3487) clearly says
it's a design issue. Tells me we're not likely to see a real fix for
a while, IMHO. Indeed, Apple's initial "fix" to this design issue is,
"This update addresses the issue by clarifying the origin of the
authentication request in the dialog." That doesn't sound like much
of a fix at all, and I'd expect a lot of users will still fall for the
dialog box ruse. Sigh...
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___