[26088] in bugtraq
Re: MacOS X SoftwareUpdate Vulnerability
daemon@ATHENA.MIT.EDU (Kurt Seifried)
Mon Jul 8 16:26:34 2002
Message-ID: <001b01c226b0$a2e87c80$1400020a@chaser>
Reply-To: "Kurt Seifried" <bugtraq@seifried.org>
From: "Kurt Seifried" <bugtraq@seifried.org>
To: "Russell Harding" <hardingr@ucsub.colorado.edu>,
"Julian Suschlik" <julian.suschlik@gmx.net>
Cc: <bugtraq@securityfocus.com>
Date: Mon, 8 Jul 2002 12:52:40 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
>> Date: July 6, 2002
>> Version: MacOS 10.1.X and possibly 10.0.X
>> Problem: MacOS X SoftwareUpdate connects to the SoftwareUpdate Server
via
>> HTTP with no authentication, leaving it vulnerable to attack.
>[...]
>> Solution/Patch/Workaround:
>[...]
>
>A possible workaround:
>
>System Preferences -> Software Update -> Update Software: [x] Manually
>Donīt touch the "Update Now"-Button!
>
>Look for updates on http://www.info.apple.com/support/downloads.html
>Use trusted networks or http-to-mail gateway to get the files.
How is this an improvement? The whole premise of the attack relies on
DNS/ARP poisoning/spoofing, which is super trivial if you are local, pretty
easy on the same subnet, and usually possible across the Internet. So
instead of directing you to swquery.apple.com or *.g.akamai.net I simply
redirect you to my version of www.apple.com.
Apple doesn't even post MD5 sum's of the files, let alone a PGP/GnuPG
signature, there is absoulutely no verification of the packages as far as I
can tell.
>HTH,
>
>Julian
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.iDefense.com/
