>> Date: July 6, 2002 >> Version: MacOS 10.1.X and possibly 10.0.X >> Problem: MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via >> HTTP with no authentication, leaving it vulnerable to attack. >[...] >> Solution/Patch/Workaround: >[...] > >A possible workaround: > >System Preferences -> Software Update -> Update Software: [x] Manually >Donīt touch the "Update Now"-Button! > >Look for updates on http://www.info.apple.com/support/downloads.html >Use trusted networks or http-to-mail gateway to get the files. How is this an improvement? The whole premise of the attack relies on DNS/ARP poisoning/spoofing, which is super trivial if you are local, pretty easy on the same subnet, and usually possible across the Internet. So instead of directing you to swquery.apple.com or *.g.akamai.net I simply redirect you to my version of www.apple.com. Apple doesn't even post MD5 sum's of the files, let alone a PGP/GnuPG signature, there is absoulutely no verification of the packages as far as I can tell. >HTH, > >Julian Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ http://www.iDefense.com/
