[26080] in bugtraq
Re: MacOS X SoftwareUpdate Vulnerability
daemon@ATHENA.MIT.EDU (Julian Suschlik)
Mon Jul 8 11:19:57 2002
Date: Mon, 8 Jul 2002 16:42:21 +0200
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Mime-Version: 1.0 (Apple Message framework v482)
Cc: bugtraq@securityfocus.com
To: Russell Harding <hardingr@ucsub.colorado.edu>
From: Julian Suschlik <julian.suschlik@gmx.net>
In-Reply-To: <Pine.GSO.4.40.0207062216280.15196-100000@ucsub.colorado.edu>
Message-Id: <E90015E5-9280-11D6-B733-00039352123C@gmx.net>
Content-Transfer-Encoding: 8bit
Hi,
Am Sonntag den, 7. Juli 2002, um 06:21, schrieb Russell Harding:
> ----------------------------------------------------------------------------
> MacOS X SoftwareUpdate Vulnerability.
> ----------------------------------------------------------------------------
>
> Date: July 6, 2002
> Version: MacOS 10.1.X and possibly 10.0.X
> Problem: MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
> HTTP with no authentication, leaving it vulnerable to attack.
[...]
> Solution/Patch/Workaround:
[...]
A possible workaround:
System Preferences -> Software Update -> Update Software: [x] Manually
Donīt touch the "Update Now"-Button!
Look for updates on http://www.info.apple.com/support/downloads.html
Use trusted networks or http-to-mail gateway to get the files.
HTH,
Julian
