Dailydave mailing list archives
Re: Tool release: [evilgrade] - A question about Mac Updates
From: "Francisco Amato" <noreply () infobyte com ar>
Date: Tue, 29 Jul 2008 10:31:22 -0300
Hello Joanna, The module osx.pm exploit the vulnerability CVE 2007-5863, discoverer by Moritz Jodeit. This module allows for arbitrary command execution through "cmd" variable. Regards, -- Francisco Amato [ISR] - Infobyte Security Research Chile 1441 - Segundo Cuerpo - Primer Piso [C1098ABC] Buenos Aires - Argentina Tel: 43837000 http://www.infobyte.com.ar On Tue, Jul 29, 2008 at 5:05 AM, Joanna Rutkowska <joanna () invisiblethingslab com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ISR] - Infobyte Security Research wrote: | | Implemented modules: | --------------------------------- | - Java plugin | - Winzip | - Winamp | - MacOS | - OpenOffices | - iTunes | - Linkedin Toolbar | - DAP [Download Accelerator] | - notepad++ | - speedbit | So, Mac OSX's Software Update doesn't verify signatures of the update packages it downloads? Given then Leopard's so much advertised code signing feature, I would expect that all the updates are signed. Can you please comment on this? For example most of the Apple-provided App packages are indeed signed -- you can verify this using e.g. this command: find /Applications -name "*.app" -exec codesign -v {} \; Some interesting exceptions though: /Applications/iWork '08/Keynote.app: code object is not signed /Applications/iWork '08/Numbers.app: code object is not signed /Applications/iWork '08/Pages.app: code object is not signed :) Unfortunately verifying e.g. /System/Library/Extensions is even worse, i.e. even more unsigned packages. But still, I would expect that maybe Apple doesn't sign every single executable (BTW, MS is doing that since Windows 2000), but at least signs the update packages? No?! Thanks, joanna. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiOzz4ACgkQORdkotfEW87J8wCeK5GUh5OlsWdoDEGPRaAOHt27 joEAoL+XFo1xCBCkSaUmPVinKLNwO++P =ZShx -----END PGP SIGNATURE-----
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Tool release: [evilgrade] - Using DNS cache poisoning to exploit poor update implementations [ISR] - Infobyte Security Research (Jul 28)
- Message not available
- Re: Tool release: [evilgrade] - A question about Mac Updates Francisco Amato (Jul 29)
- Message not available