It’s not common for Apple to patch a single bug, so the one they patched today must be serious.
The vulnerability patched today in the PackageKit module of OS X 10.6 and later (earlier versions are not affected) could lead to man-in-the-middle attacks. The attacks could result in system crash or arbitrary code execution.
The problem has to do with PackageKit’s handling of distribution scripts. An attacker sitting between Apple’s update server and a user could make changes in the scripts to abuse a format string in the script. PackageKit appears to be the program which interprets this script and is victimized by the attack.
Apple says improved validation of distribution scripts in the update fixes the issue.
This update (as I see it) raises some questions: Aren’t they distributing these scripts via SSL/TLS? If so, how is the man-in-the-middle attack accomplished? If not, well why not?
Full story: Security Watch
Related Posts
- Improve your Security #4: Update your Software often
Every week or even day we see new vulnerabilities popping up in all software packages which we use daily: In the operating system (Windows, Mac, Linux), PDF Readers, Web browsers, Mail clients, Office... - Apple patches 15 QuickTime bugs in Leopard, Windows
Apple on Tuesday patched 15 vulnerabilities in its QuickTime media player for Windows and Mac OS X 10.5, aka Leopard. - on Computerworld Security News... - Apple Discloses 85 Security Fixes in Latest iOS Update
Just when you think they can't pull another one off, Apple does it again. No, we're not talking about killer consumer electronics products, we're talking about security updates of record-set... - Definition file update for Ad-Aware – combating Viruses, Spyware, Malware, Rogue software, Worms and Adware.
149.474 is now available, new definition file for Ad-Aware 8.2.150.159 is now available, new definition file for Ad-Aware 8.3.New definitions:====================Win32.Backdoor.StapomeWin32.FraudTool.... - Apple Releases Vast OS X Security Update
Apple released today an update to OS X of possibly unprecedented proportions, addressing 131 separate vulnerabilities, one over 2 years old.
View full post on PCMag.com Security Coverage... - Apple smashes patch record with gigantic update
Apple this week patched a record 134 Mac OS X vulnerabilities, easily topping the previous record of fixing 90 flaws in March.
View full post on Computerworld Security News... - Apple Releases Massive OS X Security Update
Apple released today an update to OS X of possibly unprecedented proportions, addressing 131 separate vulnerabilities, one over 2 years old.
55 of the vulnerabilities, including the one firs... - Apple releases Security Update 2010-006 for Snow Leopard
Users of Mac OS X 10.6 Snow Leopard have a minor security fix waiting for them in Software Update.
View full post on Network World on Security... - Apple patches months-old QuickTime bugs
Apple patched a critical vulnerability in QuickTime on Wednesday that was reported to the company by a bug bounty program months ago.
View full post on Computerworld Security News... - Apple ships iOS 4.1, patches FaceTime flaw
As expected, Apple today released the iOS 4.1 update for its iPhone and iPod Touch and patched two dozen security vulnerabilities in its mobile operating system.
View full post on Computerworld Sec...
Posted on 11 January 2011. Tags: Apple, Patches, serious, Software, Update
