|
|
The DNS exploit just got a whole lot more serious for Mac users
|
|
|
|
Mac Enthusiast
Join Date: Oct 1999
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by Tee
This can be solved pretty simply. Sign the updates. If there is no signature or it's not Apple's, then it doesn't install.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
And fix Safari's behavior with second level domain names.
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
Safari's behavior doesn't seem relevant to DNS exploits, and it works fine for me anyway.
BTW, make sure your DNS is safe and use OpenDNS's 208.67.222.222 and 208.67.220.220 if not.
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Oct 1999
Status:
Offline
|
|
Originally Posted by Person Man
This can be solved pretty simply. Sign the updates. If there is no signature or it's not Apple's, then it doesn't install.
I had hoped that the updates via 'Software Update' were signed already.
This is not good.
Just the other day I got an small update to NAV 11 on one just one of my machines - makes me wonder...
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Apr 2002
Location: Illinois
Status:
Offline
|
|
Originally Posted by Person Man
This can be solved pretty simply. Sign the updates. If there is no signature or it's not Apple's, then it doesn't install.
No, don't do that.
How am I supposed to fake an update server at my work if they need to be signed?!
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2001
Location: Northwest Ohio
Status:
Offline
|
|
Originally Posted by King Bob On The Cob
No, don't do that.
How am I supposed to fake an update server at my work if they need to be signed?!
The updater contains the signature. Not the server.
Attackers will not be able to spoof Apple's signature and therefore the installer should refuse to install it.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
Originally Posted by Person Man
The updater contains the signature. Not the server.
Attackers will not be able to spoof Apple's signature and therefore the installer should refuse to install it.
More precisely, the updates themselves would contain the signature and the updater would just make sure it's there and valid. So any update that originates from Apple, no matter how you downloaded it, would be accepted. This means a spoofed update server will be fine as long as it is serving legitimate updates.
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: May 2001
Location: Portland, OR
Status:
Offline
|
|
Originally Posted by Chuckit
More precisely, the updates themselves would contain the signature and the updater would just make sure it's there and valid. So any update that originates from Apple, no matter how you downloaded it, would be accepted. This means a spoofed update server will be fine as long as it is serving legitimate updates.
Edit: Nm, my reply is off topic now that I read what you wrote. ut at that point, you might as well run a real Mac OS X Server software update server, because if you're confined to Apple updates anyway...
|
8 Core 2.8 ghz Mac Pro/GF8800/2 23" Cinema Displays, 3.06 ghz Macbook Pro
Once you wanted revolution, now you're the institution, how's it feel to be the man?
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Nov 2003
Location: The back of the room
Status:
Offline
|
|
Didn't we go through this like 8 years ago? I'm sure of it. A very, very similar exploit against Software Update in 10.1, at least.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|