The official description from their bulletin (http://support.apple.com/kb/HT4498):
PackageKit
CVE-ID: CVE-2010-4013
Available for: Mac OS X v10.6 through v10.6.5, Mac OS X Server v10.6 through v10.6.5
Impact: A man-in-the-middle attacker may be able to cause an unexpected application termination or arbitrary code execution
Description: A format string issue exists in PackageKit's handling of distribution scripts. A man-in-the-middle attacker may be able to cause an unexpected application termination or arbitrary code execution when Software Update checks for new updates. This issue is addressed through improved validation of distribution scripts. This issue does not affect systems prior to Mac OS X v10.6. Credit to Aaron Sigel of vtty.com for reporting this issue.
Forgive me if I'm missing something obvious, but are they actually distributing update scripts without TLS/SSL? If they are, how are you doing the MITM? If not, WTF?
ReplyDeleteWhile I'm on the subject, I'm pretty sure they code-sign all their updates. Why aren't they code-signing the scripts too?