Penetration Testing mailing list archives
Re: Apple pentesting
From: "sam f. stover" <sstover () atrc sytexinc com>
Date: Tue, 5 Apr 2005 14:44:09 -0400
On Apr 5, 2005, at 1:47 PM, Todd Towles wrote:
Nessus does work against Macs, the problem with testing Macs is they never released vulnerability statements..never. If a hole is found, Apple releases a patch and no ones says anything. If Microsoft did this..everyone would go crazy.
Hrm - I'm a Mac owner, and subscribe to security-announce () lists apple com. Here is a link to their Apple Product Security web site for a specific notification that I received:
http://docs.info.apple.com/article.html?artnum=61798Clicking on one of the Security Update links given, will take you to here:
http://docs.info.apple.com/article.html?artnum=301061Which goes into detail (i.e. CVE, Impact, Credit, etc.) for each issue addressed in this particular update. All of this information is in the mailing, which I've included also:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2005-03-24 Java Web Start Sun has published "Security Vulnerability With Java Web Start" which is fixed for Mac OS X in Security Update 2005-002. Systems that have already installed Security Update 2005-002 do not need to re-install it. Available for: Java 1.4.2 CVE-ID: CAN-2005-0418 Impact: Updates Java to address an issue in Java Web Start that allows an untrusted application to elevate its privileges Description: A vulnerability in Java Web Start allows an untrusted application to elevate its privileges. For example an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the Java Web Start application. Releases prior to Java 1.4.2 are not affected by this vulnerability. Further information is available in Document ID 57740 from Sun's security web site at http://sunsolve.sun.com/ Security Update 2005-002 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: "SecUpd2005-002Pan.dmg" Its SHA-1 digest is: a97552dcd6ad73c573154e2a310f09595db4fb4c Information will also be posted to the Apple Product Security web site: http://docs.info.apple.com/article.html?artnum=61798 This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- -- S.f. Stover sstover () atrc sytexinc com Mind the gap. -- English proverb
Current thread:
- Apple pentesting Julian Totzek (Apr 05)
- Re: Apple pentesting Erik Winkler (Apr 05)
- Re: Apple pentesting Mike (Apr 06)
- <Possible follow-ups>
- RE: Apple pentesting Todd Towles (Apr 05)
- Re: Apple pentesting Daniel (Apr 05)
- Re: Apple pentesting sam f. stover (Apr 05)
- Re: Apple pentesting Thomas Stromberg (Apr 05)
- Re: Apple pentesting Thomas Hardly (Apr 06)
- RE: Apple pentesting Altheide, Cory B. (IARC) (Apr 05)
- RE: Apple pentesting Todd Towles (Apr 05)
- Re: Apple pentesting Daniel (Apr 06)
- RE: Apple pentesting Altheide, Cory B. (IARC) (Apr 05)
- RE: Apple pentesting Todd Towles (Apr 06)
- Re: Apple pentesting Javier Blanque (Apr 08)