Bugtraq mailing list archives

Re: MacOS X SoftwareUpdate Vulnerability

From: "Kurt Seifried" <bugtraq () seifried org>
Date: Mon, 8 Jul 2002 12:52:40 -0600

Date:      July 6, 2002
Version:   MacOS 10.1.X and possibly 10.0.X
Problem:   MacOS X SoftwareUpdate connects to the SoftwareUpdate Server

via

           HTTP with no authentication, leaving it vulnerable to attack.

[...]

Solution/Patch/Workaround:

[...]

A possible workaround:

System Preferences -> Software Update -> Update Software: [x] Manually
Don´t touch the "Update Now"-Button!

Look for updates on http://www.info.apple.com/support/downloads.html
Use trusted networks or http-to-mail gateway to get the files.


How is this an improvement? The whole premise of the attack relies on
DNS/ARP poisoning/spoofing, which is super trivial if you are local, pretty
easy on the same subnet, and usually possible across the Internet. So
instead of directing you to swquery.apple.com or *.g.akamai.net I simply
redirect you to my version of www.apple.com.

Apple doesn't even post MD5 sum's of the files, let alone a PGP/GnuPG
signature, there is absoulutely no verification of the packages as far as I
can tell.

HTH,

Julian


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/
http://www.iDefense.com/

Current thread:

MacOS X SoftwareUpdate Vulnerability Russell Harding (Jul 07)
- Re: MacOS X SoftwareUpdate Vulnerability Julian Suschlik (Jul 08)
  - Re: MacOS X SoftwareUpdate Vulnerability Kurt Seifried (Jul 08)
  - Re: MacOS X SoftwareUpdate Vulnerability Corey J. Steele (Jul 11)
    - Re: MacOS X SoftwareUpdate Vulnerability gabriel rosenkoetter (Jul 12)
- <Possible follow-ups>
- RE: MacOS X SoftwareUpdate Vulnerability jaehnel (Jul 13)
- RE: MacOS X SoftwareUpdate Vulnerability Hundley, Gordon - Princeton (Jul 15)