July 09, 2002

Mac OS Software-Update Exploit

Recently published exploit calles it "trivial" to trick a user to install malicious code.
IMHO DNS/ARP-Spoofing requires at least access to the victims network which i wouldn't call "trivial" given the victims network is considerably well protected.

In any case it is true, that it is a big oversight from Apple not to incorporate any authentication mechanism into it's Software-Update programm.
They could at least somehow GPG-Sign their downloads and have Software-Update verify the signatures.

Don't panic.

Posted in: by seiz | Comments (0)

Post a comment