RE: Apple pentesting

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 04/06/05

  • Next message: Mike: "Re: Apple pentesting" 
    Date: Wed, 6 Apr 2005 08:21:58 -0500
To: "Javier Blanque" <javier@blanque.com.ar>, "Julian Totzek" <julian.totzek@bristol.de>

     Hey, Thanks guys,

    It was my mistake...I was talking in front of my mind for a bit. Yesterday was a rough day, sorry for the confusion. Cory, sorry for taking my displeasure of the day out on ya..my bad. I understand that Apple has a very good security image and does inform their users.

    As far as pen-testing, Nessus is a good start, but false positives are possible and they should be double checked with another tool or manually. You will get both Mac OS X and UNIX type vulns. The other links provided by the other members give some holes to check. I was surprised to not find any attack info on packetstormsecurity as well.

    http://www.osvdb.org/ - Found several vulns for Mac OS X

    http://secunia.com/product/96/ - Mac OS X Vulnerabilities - Secunia

    Also, look at the other apps that are installed. If you do get local access to the box, then installed apps and maybe unpatched local access will help you gain higher access.

    > -----Original Message-----
    > From: Javier Blanque [mailto:javier@blanque.com.ar]
    > Sent: Tuesday, April 05, 2005 4:40 PM
    > To: Todd Towles; Julian Totzek
    > Cc: <pen-test@securityfocus.com>
    > Subject: Re: Apple pentesting
    >
    > In general Corporations like Apple, Microsoft, Sun, Cisco,
    > etc. do not help attackers to their products, even for good
    > reason (pen testing), they do not give more than is needed to
    > know about a bug. But Apple has been doing its homework about
    > patching and describing these vulns. You should check at:
    > http://www.macsecurity.org/
    > http://www.securemac.com/
    > and google for "mac security"
    > Best regards,
    > Javier Blanque
    >
    > El 05/04/2005, a las 14:47, Todd Towles escribió:
    >
    > > Nessus does work against Macs, the problem with testing
    > Macs is they
    > > never released vulnerability statements..never. If a hole is found,
    > > Apple releases a patch and no ones says anything. If Microsoft did
    > > this..everyone would go crazy.
    >
    >

  • Next message: Mike: "Re: Apple pentesting"

    Relevant Pages

    • Re: W7 after 3 days of stress testing
      ... Steve de Mena wrote: ... Unlike "Snow Job" Leopard there are no broken apps (did not even ... Ethernet, and finding none, I ordered a $5 USB/Ethernet dongle. ... since Macs have working ethernet ports even after upgrading the OS. ...
      (comp.sys.mac.advocacy)
    • Re: Java 5 End Of Life
      ... their support for Java. ... awkwardness of the Pascal event loop needed to make GUI apps work. ... Java is ever so much better. ... They had three Macs, browsing the web ...
      (comp.lang.java.programmer)
    • Re: Native gem roundup!
      ... Who says you can't use JRuby on a Mac? ... things that aren't Macs. ... that Apple provides some Java libs that hook into Cocoa, ... it's possible to make apps that look good and look ...
      (comp.lang.ruby)
    • It Just Underscores the Point!
      ... Macs. ... So Apple is closing that little loophole: ... too- the lifeblood of a platform is its apps; ...
      (comp.sys.mac.advocacy)
    • Re: Comparing these MACS
      ... based Macs until at least 2012, and the apps will be dual binaries until ... programs are Intel native. ... And I wouldn't underestimate apps running under Rosetta. ...
      (comp.sys.mac.advocacy)