[Am-info] Security Researcher Claims Apple Update Vulnerable

[Mitch Stone]

Sorry, but from my reading on this subject, exploiting this vulnerability 
required compromising a domain name server, which isn't child's play from 
what I understand. It also required being very [un]lucky. Someone on the 
other side of the DNS has to run the Software Update control panel while 
the server is compromised. Possible? Yes. Probable? I don't think so.

That being said, the lack of authentication was a dumb mistake on Apple's 
part. They seem to have fixed it with the latest security update.

Mitch

On Thursday, July 18, 2002, at 02:33 AM, Eric M. Hopper wrote:

> On Thu, 2002-07-18 at 01:03, Mitch Stone wrote:
>> Yes. Apple posted a security update last week. The vulnerability was
>> mainly theoretical, anyway.
>
> I really dislike the characterization of vulnerabilities in this
> fashion.  There have been several Linux and Windows vulnerabilities that
> various researchers or corporate PR people have described as 'mainly
> theoretical' that had nasty exploits out in the wild a week later.
>
> Have fun (if at all possible),
> --
> The best we can hope for concerning the people at large is that they
> be properly armed.  -- Alexander Hamilton
> -- Eric Hopper (hopper@omnifarious.org
> http://www.omnifarious.org/~hopper) --
>
> _______________________________________________
> Am-info mailing list
> Am-info@lists.essential.org
> http://lists.essential.org/mailman/listinfo/am-info
>