Apple patches man-in-middle vulnerability in OS X 10.6
Summary: Apple's latest OS X download includes a PackageKit patch to thwart potential "man-in-the-middle attacks."
Apple's latest OS X download includes a PackageKit patch to thwart potential "man-in-the-middle attacks."
Here are the patch details in full:
CVE-ID: CVE-2010-4013
Available for: Mac OS X v10.6 through v10.6.5, Mac OS X Server v10.6 through v10.6.5
Impact: A man-in-the-middle attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: A format string issue exists in PackageKit's handling of distribution scripts. A man-in-the-middle attacker may be able to cause an unexpected application termination or arbitrary code execution when Software Update checks for new updates. This issue is addressed through improved validation of distribution scripts. This issue does not affect systems prior to Mac OS X v10.6. Credit to Aaron Sigel of vtty.com for reporting this issue.
Apple pushed the patch out along with Mac OS v10.6.6, which delivered the Mac App Store.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Apple patches man-in-middle vulnerability in OS X 10.6
Well Said.
RE: Apple patches man-in-middle vulnerability in OS X 10.6
You are so funny.
What? A patched vulnerability in an OS is sufficient reason to dismiss it?
Which OS do you use? Some magically perfect OS?
Come on - name it!!!
That depends if you're talking about Windows or not.
If you're talking about Windows then the answer is yes as that's what the Mac fanboys have always done. If you're talking about any other OS then the answer is no. It's a double standard to be sure. But you'll have to take it up with them.<br><br><i>Which OS do you use? Some magically perfect OS?</i><br><br>The Mac fanboys have led us to believe it's OS X.<br><br>BTW - I don't know what chesscodz@... said as it looks as if he edited it so I don't know what SonofSailor is referring to.
RE: Apple patches man-in-middle vulnerability in OS X 10.6
RE: Apple patches man-in-middle vulnerability in OS X 10.6
OK. "It just works" :-)
RE: Apple patches man-in-middle vulnerability in OS X 10.6
No
That's completely <i>un-</i>related!
But it's also true
RE: Apple patches man-in-middle vulnerability in OS X 10.6
Yes, it is true. What rankles is the deflection going on here. Here we have an informative blog giving us information about a security issue that has been (apparently) fixed and bang-zoom off we go to the App Store. True or not, it is not relevant.
@macadam, tell that to @cybr2th@..
RE: Apple patches man-in-middle vulnerability in OS X 10.6
This is an issue with the System Update function?
If I am reading this advisory correctly, an attacker can successfully intercept the System Update network communications. Which then leads to System Update listing bogus patches, or downloading and installing "patches" from the attacker instead of Apple.
I know some people are saying that this issue won't affect them - they have already patched to 10.6.6 (which was released one day ago). But do you *really* trust what System Update tells you, knowing that this was a flaw in System Update...? In all seriousness, there's lots of Macs that have yet to upgrade to 10.6.6, and they are the most vulnerable to this attack.
Of course, I may have misread. Please correct me if I'm wrong!
RE: Apple patches man-in-middle vulnerability in OS X 10.6
RE: Apple patches man-in-middle vulnerability in OS X 10.6