UBB.Developers Forums General Discussion Chit Chat Mac OS X not perfect?

I would say it's not, here you go kids...news you can use!

quote:

---

Caution: Apple's Software Update Has Been Hacked

Monday, July 8, 2002
By Senior Editor John H. Farr

According to ZDNet UK, "no patch is understood to be available," and Apple hasn't commented publicly yet, but as far as we know, the cat is out of the bag, now that the hacker responsible has posted full instructions on his Web site. Anyone following the procedure can install a "backdoor" on any OS X-equipped Macintosh computer, and if you don't know what that means, perhaps you should.

Here's most of what is known so far:

"The exploit takes advantage of Apple's software updating mechanism in OS X, called Software Update, which checks weekly for new updates from Apple. According to hacker Russell Harding, who claims to have discovered the exploit, the Mac OS X Software Update feature downloads these updates over the HTTP protocol with no authentication, and installs them as root on the system.
It is a trivial matter, according to Harding, to use any one of several well-known techniques to trick a user into installing a malicious program posing as an update from Apple. Such techniques include DNS spoofing and DNS Cache Poisoning."

Comments: We are not aware of any malicious activity currently taking place that utilizes this vulnerability, but that could change. Automatic software updating is an increasingly popular technology in the industry as a whole, but it looks like there's still some work to be done. Oh, and for any new Mac OS X users who haven't figured out the obvious, what you need to do is make sure Software Update is set for manual updating, at least until this is straightened out. Hint: most of the big boys do it that way anyhow.

---