Re: Personal Web Sharing remote stop

["Erik Neuenschwander" <erikn () well com>]

"Terje Bless" <link () tss no> wrote:
> On 16.05.01 at 10:01, Ron Trenka <ron () zowiedigital com> wrote:
>
> > > BTW, if anyone has contacts at Apple _please_ bug them about starting
to
> > > take security seriously! It looks like the last update to Mac OS X
> > > (10.0.3) was to close the recent glob hole, but it isn't mentioned in
the
> > > release notes. Just some vague "security related fixes".
> >
> > That was part of the update.  The biggest thing was to add the CD
burning
> > capability.
>
> Nope. That was .1 or .2 (I can't be bothered to check right now). .3
added
> /more/ CD-RW support and some vaguely hinted at security fixes involving
> FTP that just _scream_ at me that they've closed the glob hole but
aren't
> telling because then they'd have to fess up to having been bitten by it
in
> the first place. The worst part is that I fully expect the added CD-TW
> support was the more compelling reason for the upgrade; the FTP fix was
> just piggybacking along. *sigh*
>
> "This update delivers CD burning support for iTunes, a number of
>  improvements for overall application stability and includes the
>  latest version of the Internet file transfer service (ftpd)
>  which features important security improvements."

Well, they now have more of a clue... Apple's finally got a security site
up!

http://www.apple.com/support/security/security.html
describes their processes
http://www.apple.com/supprt/security/security_updates.html
lists their updates and what vulnerabilities they patch

And, yes, it was the glob hole and it is now fixed.  They even link to the
CERT Advisory.

--
Erik Neuenschwander           Managing Director, i-Appliance Association
erikn () cs stanford edu              Graduate Student, Stanford Philosophy
erikn () i-appliance org                    http://www.stanford.edu/~erikn/