Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apple: Taking OS X security seriously -- finally

From: InfoSec News <isn () c4i org>
Date: Tue, 9 Jul 2002 07:03:24 -0500 (CDT)
Forwarded from: Kurt Seifried <listuser () seifried org>

To bad apple's software update service is totally insecure (packages
are not signed at all, no use of https://, etc.). I was about to
relase an advisory on this sometime this week but someone beat me to
the punch. If you have a local shell on macosx you can compromise the
system trivially, local subnet is pretty easy, across the inet it's
doable as well (need to dns poison/arp poison/etc). Apple is no
better/worse then the other BSD vendors, same backend, same problems,
I don't see them finding and fixing a huge number of holes (i.e.
OpenSSH, Apache...etc.).

BTW Apple's update for Apache was ~2 weeks late.


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/


----- Original Message -----
From: "InfoSec News" <isn () c4i org>
To: <isn () attrition org>
Sent: Monday, July 08, 2002 5:18 AM
Subject: Re: [ISN] Apple: Taking OS X security seriously -- finally



Forwarded from: Richard Forno <rforno () infowarrior org>

Overall, a good article.....Apple OSX is still one of the more
secure out-of-the-box OSes you can find. Few if any services are
enabled by default, and those that are are easily disabled if
necessary.

However, the article fails to mention that Apple promptly admits
responsibility when they screw up -- a few months ago Apple released
an update to iTunes, its popular MP3 player - but unknowingly, one
of its developers included in the install script a unix command to
erase a user's data directory!!

Not only did Apple pull the upgrade from its website immediately,
but within 24 hours a revised installer was posted, along with a
statement admitting it was Apple's fault for causing the problem.
Further, Apple told those that lost data as a result that it would
reimburse them for purchasing disk utilities (eg, Norton stuff)
and/or the price to have a professional restore their data. You'll
never see this level of public responsibility from other, larger
software monopolies.


[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: