Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Plugs Software Update Hole

Posted by CmdrTaco on from the plugging-the-holes dept.

hype7 writes "Apple's getting quick! Less than 5 days after the recently reported software update vulnerability was discovered, Apple have a patch plugging the hole. Apparently, packages now presented via the Software Update mechanism are cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing any new packages."

3 of 181 comments (clear)

  1. Actually, it's only half-fixed... by imac.usr · · Score: 5, Insightful
    ...that is, until this is backported to OS 9.

    True, Apple has said that OS 9 is dead, but there's a hell of a lot of installations out there, and they all use an insecure Software Update mechanism as well. Apple needs to do the right thing and fix it for those who haven't upgraded because they can't (like those with hardware whose drivers haven't been updated yet), and to prevent Classic from becoming its own security hole.

    --
    I use Macs for work, Linux for education, and Windows for cardplaying.
  2. Re:Funny by jamie · · Score: 5, Insightful
    "When Microsoft announces a patch for Windows two days after a security hole is found, they get bashed for publishing insecure software. When Apple fixes a hole five days after acknowledging it, they're praised for being so quick to patch it."

    The situation is not quite comparable...

    The last n Microsoft security holes that I've seen have been discovered by security groups which reported them privately to Microsoft, and worked with Microsoft for typically a month or two to get the patch out. Then the vulnerability was announced the same day as the patch release. A few days or weeks later, an exploit for the vulnerability was posted someplace reasonably mainstream.

    Not so here. The Apple vulnerability was just posted to bugtraq along with an exploit. No indication was made that any attempt to contact Apple was made, much less working privately with Apple while the problem was resolved.

    http://www.cunap.com/~hardingr/projects/osx/exploi t.html

    http://online.securityfocus.com/archive/1/280964

    Also this wasn't the worst vulnerability ever found. If someone poisons your DNS server they really can do all manner of bad things to you; Software Update is (was) just one of many concerns you should have. Keep your DNS servers secure!

  3. Note by theolein · · Score: 5, Insightful

    I appreciate, even though it is probably coincidental, that Apple did NOT attack the press for reporting this hole before they had a chance to plug it. It has been a reasonably quick, mature response. Unlike another company that we all know that seems incapable of fixing holes without having a go at all "enemies" on the side.