Dailydave mailing list archives
Re: Tool release: [evilgrade] - A question about Mac Updates
From: "Francisco Amato" <noreply () infobyte com ar>
Date: Tue, 29 Jul 2008 10:31:22 -0300
Hello Joanna, The module osx.pm exploit the vulnerability CVE 2007-5863, discoverer by Moritz Jodeit. This module allows for arbitrary command execution through "cmd" variable. Regards, -- Francisco Amato [ISR] - Infobyte Security Research Chile 1441 - Segundo Cuerpo - Primer Piso [C1098ABC] Buenos Aires - Argentina Tel: 43837000 http://www.infobyte.com.ar On Tue, Jul 29, 2008 at 5:05 AM, Joanna Rutkowska <joanna () invisiblethingslab com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ISR] - Infobyte Security Research wrote:
|
| Implemented modules:
| ---------------------------------
| - Java plugin
| - Winzip
| - Winamp
| - MacOS
| - OpenOffices
| - iTunes
| - Linkedin Toolbar
| - DAP [Download Accelerator]
| - notepad++
| - speedbit
|
So, Mac OSX's Software Update doesn't verify signatures of the update
packages it downloads? Given then Leopard's so much advertised code
signing feature, I would expect that all the updates are signed. Can you
please comment on this?
For example most of the Apple-provided App packages are indeed signed --
you can verify this using e.g. this command:
find /Applications -name "*.app" -exec codesign -v {} \;
Some interesting exceptions though:
/Applications/iWork '08/Keynote.app: code object is not signed
/Applications/iWork '08/Numbers.app: code object is not signed
/Applications/iWork '08/Pages.app: code object is not signed
:)
Unfortunately verifying e.g. /System/Library/Extensions is even worse,
i.e. even more unsigned packages.
But still, I would expect that maybe Apple doesn't sign every single
executable (BTW, MS is doing that since Windows 2000), but at least signs
the update packages? No?!
Thanks,
joanna.
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkiOzz4ACgkQORdkotfEW87J8wCeK5GUh5OlsWdoDEGPRaAOHt27
joEAoL+XFo1xCBCkSaUmPVinKLNwO++P
=ZShx
-----END PGP SIGNATURE-----
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Tool release: [evilgrade] - Using DNS cache poisoning to exploit poor update implementations [ISR] - Infobyte Security Research (Jul 28)
- Message not available
- Re: Tool release: [evilgrade] - A question about Mac Updates Francisco Amato (Jul 29)
- Message not available