OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: InfoSec News (isn_at_c4i.org)
Date: Tue Jul 09 2002 - 07:03:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Forwarded from: Kurt Seifried <listuserseifried.org>

    To bad apple's software update service is totally insecure (packages
    are not signed at all, no use of https://, etc.). I was about to
    relase an advisory on this sometime this week but someone beat me to
    the punch. If you have a local shell on macosx you can compromise the
    system trivially, local subnet is pretty easy, across the inet it's
    doable as well (need to dns poison/arp poison/etc). Apple is no
    better/worse then the other BSD vendors, same backend, same problems,
    I don't see them finding and fixing a huge number of holes (i.e.
    OpenSSH, Apache...etc.).

    BTW Apple's update for Apache was ~2 weeks late.

    Kurt Seifried, kurtseifried.org
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/

    ----- Original Message -----
    From: "InfoSec News" <isnc4i.org>
    To: <isnattrition.org>
    Sent: Monday, July 08, 2002 5:18 AM
    Subject: Re: [ISN] Apple: Taking OS X security seriously -- finally

    > Forwarded from: Richard Forno <rfornoinfowarrior.org>
    >
    > Overall, a good article.....Apple OSX is still one of the more
    > secure out-of-the-box OSes you can find. Few if any services are
    > enabled by default, and those that are are easily disabled if
    > necessary.
    >
    > However, the article fails to mention that Apple promptly admits
    > responsibility when they screw up -- a few months ago Apple released
    > an update to iTunes, its popular MP3 player - but unknowingly, one
    > of its developers included in the install script a unix command to
    > erase a user's data directory!!
    >
    > Not only did Apple pull the upgrade from its website immediately,
    > but within 24 hours a revised installer was posted, along with a
    > statement admitting it was Apple's fault for causing the problem.
    > Further, Apple told those that lost data as a result that it would
    > reimburse them for purchasing disk utilities (eg, Norton stuff)
    > and/or the price to have a professional restore their data. You'll
    > never see this level of public responsibility from other, larger
    > software monopolies.

    [...]

    -
    ISN is currently hosted by Attrition.org

    To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
    in the BODY of the mail.