Re: Apple pentesting

From: sam f. stover (sstover@atrc.sytexinc.com)
Date: Tue Apr 05 2005 - 14:44:09 EDT

• Next message: Altheide, Cory B. (IARC): "RE: Apple pentesting"
• Previous message: Daniel: "Re: Apple pentesting"
• In reply to: Todd Towles: "RE: Apple pentesting"
• Next in thread: Thomas Stromberg: "Re: Apple pentesting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Apr 5, 2005, at 1:47 PM, Todd Towles wrote:

> Nessus does work against Macs, the problem with testing Macs is they
> never released vulnerability statements..never. If a hole is found,
> Apple releases a patch and no ones says anything. If Microsoft did
> this..everyone would go crazy.

Hrm - I'm a Mac owner, and subscribe to
security-announce@lists.apple.com. Here is a link to their Apple
Product Security web site for a specific notification that I received:

http://docs.info.apple.com/article.html?artnum=61798

Clicking on one of the Security Update links given, will take you to
here:

http://docs.info.apple.com/article.html?artnum=301061

Which goes into detail (i.e. CVE, Impact, Credit, etc.) for each issue
addressed in this particular update. All of this information is in the
mailing, which I've included also:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-03-24 Java Web Start

Sun has published "Security Vulnerability With Java Web Start" which
is fixed for Mac OS X in Security Update 2005-002.

Systems that have already installed Security Update 2005-002 do not
need to re-install it.

Available for: Java 1.4.2
CVE-ID: CAN-2005-0418
Impact: Updates Java to address an issue in Java Web Start that
allows an untrusted application to elevate its privileges
Description: A vulnerability in Java Web Start allows an untrusted
application to elevate its privileges. For example an application may
grant itself permissions to read and write local files or execute
local applications that are accessible to the user running the Java
Web Start application. Releases prior to Java 1.4.2 are not affected
by this vulnerability. Further information is available in Document
ID 57740 from Sun's security web site at http://sunsolve.sun.com/

Security Update 2005-002 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named: "SecUpd2005-002Pan.dmg"
Its SHA-1 digest is: a97552dcd6ad73c573154e2a310f09595db4fb4c

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----

--
S.f. Stover
sstover@atrc.sytexinc.com
Mind the gap.
-- English proverb

• Next message: Altheide, Cory B. (IARC): "RE: Apple pentesting"
• Previous message: Daniel: "Re: Apple pentesting"
• In reply to: Todd Towles: "RE: Apple pentesting"
• Next in thread: Thomas Stromberg: "Re: Apple pentesting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:19 EDT