I just wanted to run something by you all..
I heard the SW Update in OS X has a grave security problem since it does not authenticate when connecting to Apple's server. Basically what one could do is to spoof the update server and install whatever you like naming it perhaps "10.2 update" so people would fall for it..
at http://www.cunap.com/~hardingr/projects/osx/exploit.html you can find an example where it installs a faulty SSH Deamon which enables anyone to login as root quite easily.
.. This kind of thing keeps a lot of people responsible for security at companies from "upgrading" to X don't you think?
Now that it's out I will be careful with using the SW Update..
I heard the SW Update in OS X has a grave security problem since it does not authenticate when connecting to Apple's server. Basically what one could do is to spoof the update server and install whatever you like naming it perhaps "10.2 update" so people would fall for it..
at http://www.cunap.com/~hardingr/projects/osx/exploit.html you can find an example where it installs a faulty SSH Deamon which enables anyone to login as root quite easily.
.. This kind of thing keeps a lot of people responsible for security at companies from "upgrading" to X don't you think?
Now that it's out I will be careful with using the SW Update..
