Information Security News mailing list archives
Re: Apple: Taking OS X security seriously -- finally
From: InfoSec News <isn () c4i org>
Date: Tue, 9 Jul 2002 07:03:24 -0500 (CDT)
Forwarded from: Kurt Seifried <listuser () seifried org> To bad apple's software update service is totally insecure (packages are not signed at all, no use of https://, etc.). I was about to relase an advisory on this sometime this week but someone beat me to the punch. If you have a local shell on macosx you can compromise the system trivially, local subnet is pretty easy, across the inet it's doable as well (need to dns poison/arp poison/etc). Apple is no better/worse then the other BSD vendors, same backend, same problems, I don't see them finding and fixing a huge number of holes (i.e. OpenSSH, Apache...etc.). BTW Apple's update for Apache was ~2 weeks late. Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ----- Original Message ----- From: "InfoSec News" <isn () c4i org> To: <isn () attrition org> Sent: Monday, July 08, 2002 5:18 AM Subject: Re: [ISN] Apple: Taking OS X security seriously -- finally
Forwarded from: Richard Forno <rforno () infowarrior org> Overall, a good article.....Apple OSX is still one of the more secure out-of-the-box OSes you can find. Few if any services are enabled by default, and those that are are easily disabled if necessary. However, the article fails to mention that Apple promptly admits responsibility when they screw up -- a few months ago Apple released an update to iTunes, its popular MP3 player - but unknowingly, one of its developers included in the install script a unix command to erase a user's data directory!! Not only did Apple pull the upgrade from its website immediately, but within 24 hours a revised installer was posted, along with a statement admitting it was Apple's fault for causing the problem. Further, Apple told those that lost data as a result that it would reimburse them for purchasing disk utilities (eg, Norton stuff) and/or the price to have a professional restore their data. You'll never see this level of public responsibility from other, larger software monopolies.
[...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- Apple: Taking OS X security seriously -- finally InfoSec News (Jul 03)
- <Possible follow-ups>
- Re: Apple: Taking OS X security seriously -- finally InfoSec News (Jul 08)
- Re: Apple: Taking OS X security seriously -- finally InfoSec News (Jul 09)