Bugtraq mailing list archives
Re: MacOS X SoftwareUpdate Vulnerability
From: "Corey J. Steele" <csteele () good-sam com>
Date: 11 Jul 2002 09:31:27 -0500
What about modifying the search order of `lookupd` and telling it to use /etc/hosts and then using an entry in /etc/hosts to statically identify swquery.apple.com? Might be a viable work-around? -C On Mon, 2002-07-08 at 09:42, Julian Suschlik wrote:
Hi, Am Sonntag den, 7. Juli 2002, um 06:21, schrieb Russell Harding:---------------------------------------------------------------------------- MacOS X SoftwareUpdate Vulnerability. ---------------------------------------------------------------------------- Date: July 6, 2002 Version: MacOS 10.1.X and possibly 10.0.X Problem: MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via HTTP with no authentication, leaving it vulnerable to attack.[...]Solution/Patch/Workaround:[...] A possible workaround: System Preferences -> Software Update -> Update Software: [x] Manually DonĀ“t touch the "Update Now"-Button! Look for updates on http://www.info.apple.com/support/downloads.html Use trusted networks or http-to-mail gateway to get the files. HTH, Julian
-- Corey J. Steele, Information Security Analyst The Evangelical Lutheran Good Samaritan Society csteele () good-sam com | http://www.good-sam.com
Current thread:
- MacOS X SoftwareUpdate Vulnerability Russell Harding (Jul 07)
- Re: MacOS X SoftwareUpdate Vulnerability Julian Suschlik (Jul 08)
- Re: MacOS X SoftwareUpdate Vulnerability Kurt Seifried (Jul 08)
- Re: MacOS X SoftwareUpdate Vulnerability Corey J. Steele (Jul 11)
- Re: MacOS X SoftwareUpdate Vulnerability gabriel rosenkoetter (Jul 12)
- <Possible follow-ups>
- RE: MacOS X SoftwareUpdate Vulnerability jaehnel (Jul 13)
- RE: MacOS X SoftwareUpdate Vulnerability Hundley, Gordon - Princeton (Jul 15)
- Re: MacOS X SoftwareUpdate Vulnerability Julian Suschlik (Jul 08)