Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Information Security News: Re: Apple: Taking OS X security seriously -- finally

Re: Apple: Taking OS X security seriously -- finally

From: InfoSec News <isn_at_c4i.org>
Date: Tue, 9 Jul 2002 07:03:24 -0500 (CDT)

Forwarded from: Kurt Seifried <listuser_at_seifried.org>

To bad apple's software update service is totally insecure (packages
are not signed at all, no use of https://, etc.). I was about to
relase an advisory on this sometime this week but someone beat me to
the punch. If you have a local shell on macosx you can compromise the
system trivially, local subnet is pretty easy, across the inet it's
doable as well (need to dns poison/arp poison/etc). Apple is no
better/worse then the other BSD vendors, same backend, same problems,
I don't see them finding and fixing a huge number of holes (i.e.
OpenSSH, Apache...etc.).

BTW Apple's update for Apache was ~2 weeks late.

Kurt Seifried, kurt_at_seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/

----- Original Message -----
From: "InfoSec News" <isn_at_c4i.org>
To: <isn_at_attrition.org>
Sent: Monday, July 08, 2002 5:18 AM
Subject: Re: [ISN] Apple: Taking OS X security seriously -- finally

> Forwarded from: Richard Forno <rforno_at_infowarrior.org>
>
> Overall, a good article.....Apple OSX is still one of the more
> secure out-of-the-box OSes you can find. Few if any services are
> enabled by default, and those that are are easily disabled if
> necessary.
>
> However, the article fails to mention that Apple promptly admits
> responsibility when they screw up -- a few months ago Apple released
> an update to iTunes, its popular MP3 player - but unknowingly, one
> of its developers included in the install script a unix command to
> erase a user's data directory!!
>
> Not only did Apple pull the upgrade from its website immediately,
> but within 24 hours a revised installer was posted, along with a
> statement admitting it was Apple's fault for causing the problem.
> Further, Apple told those that lost data as a result that it would
> reimburse them for purchasing disk utilities (eg, Norton stuff)
> and/or the price to have a professional restore their data. You'll
> never see this level of public responsibility from other, larger
> software monopolies.

[...]

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo_at_attrition.org with 'unsubscribe isn'
in the BODY of the mail.
Received on Jul 09 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]