Security Update 7-12-02 increases the security of the Software Update process for systems with Software Update client 1.4.5 or earlier. Packages presented via the Software Update mechanism are now cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing new packages. Downloaded packages which do not contain a valid signature are deleted from the system.
Apple Plugs Software Update Hole
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
It seems that security is the by-word today. Security, security, security. So many holes…so little time <g>.
I was first, :p
sry eug, coulddn’t resist.
feel free to remove useless “post”
btw i work at atlas copco airpower Belgium, i commended your site in our dpt. (ais networking) and they all regurarely check your site now
Take Care
Kevin
oh c’mon
NO FAIR
i wasn’t first after all
oh well
Kevin
I still don’t understand how people can call this a hole. It’s about as much of a hole that already exists in things like Debian, Mandrake, etc. that provide autodownloading mechanisms which don’t check signatures on packages. I suppose all of my system using NFS at work have a big gaping security hole in that I’m using host based authentication. With enough know how, someone could get on my NFS server and delete all my files.
While host based authentication isn’t exactly the most ideal solution, it’s not like it hasn’t been done before.
I think the point is while yes, you would have spoof the DNS to fool the client and host base authentication is a method that has been used before, it is a weakness that could be exploited.
Since it is something that is a pretty easy fix (as evidenced by Apples quick release of patch) it should not go unfixed. Especially when some joker has made available software that allowed any script kiddie and their brother to exploit the hole.
Am I the only one giggling like a little schoolgirl at all the utterances of the word “hole” in this thread? I know I can’t be. Heh heh heh… Hole.
Since it is something that is a pretty easy fix (as evidenced by Apples quick release of patch) it should not go unfixed.
I’m not saying that signing packages isn’t a good idea, I’m just saying that I don’t personally consider it a “hole” in the traditional sense.
alexd, as a matter of fact, after I posted, certain thoughts went through my mind and I suddenly pictured Eugenia deleting my post. But, then I thought to myself, “Naw, nobody will think of it in that way”. Wrong again! <g>
I’m just happy to see that Apple has taken it seriously, regardless that the threat might be minimal.
I mean really. In 5 days, there is no way apple could have come up with a strategy to sign every package, code something that will check for that signature, test it, and then ship it. I figure it is just a coincidence that this ‘hole’ was found and the patch release. Just the Quality Assurance for a patch would take a great deal longer than 5 days!!!!
I still don’t understand how people can call this a hole. like a little schoolgirl at all the utterances of the word “hole” in this thread?
I know I can’t be.I’m not saying that signing packages isn’t a good idea;
I’m just saying that I don’t personally consider it a “hole” in the traditional sense.
Come on, a whole is always a whole. I don’t see what’s the point of denying it.
Is it just because it’s a MacOS (FreeBSD) whole ?
Live whit it…
If Apple released a fix that doesn’t mean all users will fix it, thus the whole will stay alive.
I’m just happy to see that Apple has taken it seriously, regardless that the threat might be minimal
Minimal ?
A whole is always a whole (unless you have a firewall, but that’s just my opinion…
In 5 days, there is no way apple could have come up with a strategy to sign every package, code something that will check for that signature, test it, and then ship it. I figure it is just a coincidence that this ‘hole’ was found and the patch release.
Here is a *big* coincidence.
Sorry if I mispelled “hole” but I’m not a native english speaker 🙂