[Am-info] Security Researcher Claims Apple Update Vulnerable
Mitch Stone
mitchstone@mac.com
Thu, 18 Jul 2002 11:39:17 -0700
This discussion is pretty technical (over my head, for the most part), but
it does say DNS spoofing is required, as I'd read previously. According to
the first comment in the thread, this is "super trivial if you are local,
pretty easy on the same subnet, and usually possible across the Internet."
From which I take, if you're not on a large network, and you have a decent
ISP, the potential for your DNS to be spoofed isn't very great.
Right, fred-info sounds about right.
Mitch
On Thursday, July 18, 2002, at 10:52 AM, Eric Bennett wrote:
> Mitch Stone wrote:
>>
>> Sorry, but from my reading on this subject, exploiting this vulnerability
>> required compromising a domain name server, which isn't child's play from
>> what I understand. It also required being very [un]lucky. Someone on the
>> other side of the DNS has to run the Software Update control panel while
>> the server is compromised. Possible? Yes. Probable? I don't think so.
>
> Not that this thread has anything even *remotely* to do with am-info
> (maybe
> we should rename it fred-info?), but no, it doesn't require compromising
> a
> name server.
>
> See these and the other messages in the thread:
> http://online.securityfocus.com/archive/1/281139/2002-07-08/2002-07-14/0
> http://online.securityfocus.com/archive/1/281911/2002-07-08/2002-07-14/0
>
>
> --
> Eric Bennett ( ericb@pobox.com ; http://www.pobox.com/~ericb )
>
> Whether you're here by birth, or whether you're in America by choice,
> you contribute to the vitality of our life. And for that, we are
> grateful. - George W. Bush, May 17 2002
> _______________________________________________
> Am-info mailing list
> Am-info@lists.essential.org
> http://lists.essential.org/mailman/listinfo/am-info
>