Slashdot Mirror
Software Update Vulnerability
redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.
Software Update is convinent, but it only allows you to update Apple software (and the occasional IE bug fix). This bug could just as easily be exploited to allow for a Mac computer lab to auto-update third party software, reducing the hassle of network-wide installs, and potentialy making the lab more secure by fixing bugs in other softare. Apple should provide this option, IMHO.
The Mac news sites are very thorough, and I always read about new updates before I see them on Software Update. Also, I don't install everything listed. I've marked as inactive several foreign language updates, and some AirPort updates, as I only speak English and don't have an AirPort card.
"Common Sense Ain't" -Unknown
This is true of all those Automatic Update tools, including Red Carpet and Windows Update. They all use DNS to find the software on the Net and then install the modules without too much fuss. The only real work around is to know what you're installing. Download from what you believe to be the correct source, always look for a public verification key and then install it.
Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.
You mean like the thousands of users on my cable network that I share a DNS server with? I'm not sure I trust them too much, but I can't really do much about that.
Is your browser retarded?
Or would it? All you'd have to do is wait for a legitimate update to be released and mask your software as that update (same filename/size/desc). The end user would have no idea they weren't updating to OS 10.1.6, but rather installing a trojan. Software Update is a trusted source for most users.
These exploit techniques could be used by a good blackhat to affect everyone on, let's say Rogers Cable, in a specific geographic region. Face, it: since this became a one-protocol world with fat pipes, we all trust upstream.
Are you big enough for your home DNS to point only at root?
"Flyin' in just a sweet place,
Never been known to fail..."
A trojan that's the same size as an OS update? I'd think that a trojan wouldn't need more than a few kilobytes to do its damage. Many major updates in X even give you the EULA before the download starts. I doubt many Trojan authors would duplicate that.
"Common Sense Ain't" -Unknown
Oh, you mean like the whole internet. Gee, why didn't I think of that.
"DUUUUUUHHHHHHHHHHHHHHH!!!!" -- Steve Oedekerk
Granted, it's still a bit shaky on Macintosh OS X, but it's getting better.
Think about how dumb that comment was. Someone takes the time to forge an update, waits for an official update to come out, but is too lazy to add a bunch of extra 0's at the end of the file and add a simple dialog box.
Yeah, don't worry. Nobody would have the time to do that. I guess there's no point for you to update your mac then. Just keep going unpatched, and enjoy ignorance.
I don't think you quite saw the vulnerability. It's not a matter of hacking the Apple SU server, but rather the individual resolution to the server, or other similar methods aimed at the end user.
:)
I always check the response from others before applying updates as well (yea VersionTracker). But, if someone targetted my network (DNS servers for example) _I_ would be the only one affected by the exploit with this particular attack.
So, all someone has to do is coordinate an attack on you with an update from Apple, you go read the reports, people say "Great update, no problems," and you go ahead and apply the updates across your machines. All the while, your DNS server was hacked, and your machines are actually connecting to some eroneous source that just installed a backdoor... and while it's at it, installs the Apple update to appear real.
For now, you need to just trust that your local network and DNS is secure. But some form of host certification should really be applied to ensure that the app is connecting to a valid machine... much like web browsers can do when connecting to an SSL server.
Just my $0.02.
-Alex
Apple should sign all updates and Software Update should verify what it downloads against Apple's public key. An attacker would then have to modify the copy of Apple's public key on the victim's machine, or modify Software Update to disable the check, both of which would presumably require root privileges. Still not perfect, but an improvement.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
Sorry, but I still think I'd have to seriously piss someone off to make them go to the trouble to do this to my one little iMac. Nothing between me and SWBell, to my knowledge. Anyway, I have no enemies, and most Mac users I know think I'm a great guy(example, my 5 star rating on the Macgamer.com forums). And I don't think someone picking a victim at random would find me.
"Common Sense Ain't" -Unknown
So, they'll hack the SWBell DNS servers to get to us home DSL users on Mac's running X... nah, I can't see it happening.
"Common Sense Ain't" -Unknown
You, sir, are a quite funny little troll. I hope.
That, or you're really really really stupid.
From what I can tell, the way software update ensures that it's really talking to apple is based entirely on DNS lookups rightnow. No SSL, no md5sums, nada. All bad.
Along with many other security measures, they should start using md5sums and setup a seperate server that only hosts the sums. Hardcode it's IP address into the software update client, and make sure that whereever the update comes from it's got md5's that match up with the sum server. I know hardcoding an IP seems like a bad idea, but to truly protect against DNS attacks it might be a good move in this case. (And apple owns their own IP blocks - surely they can pick a certain number and guarantee it will remain THE md5sum server.)
It's easy to dismiss this threat as unlikely, but imagine running these prepackaged tools in a lab environment with a few hundred OS X macs...
Apple better have an update out real quick on this one.
Actually, it could possibly be quite profitable for someone who had access to the DNS server to do such a thing as this. I would bet there's enough Mac users on the SWBell DSL network to find at least a few credit card numbers, addresses, names, ssn's, etc.
Apple appears to have blundered, although I am still watching for further news on how bad. The key will be to watch how quckly (or how slowly!) they respond with an appropriate fix. If it takes two weeks, that's bad. If it takes 3 days I'm not going to complain about that. We'll see what happens. Until then, no SW update for me.
Meanwhile I actually sent Apple an email describing the problem and asking for a public advisory and a fix ASAP. Just doing my part.
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
This is an old trick. Remember the stink raised recently about users 'uncapping' their cable modems? Same idea. It's a problem here primarily because the install runs as root.
The solution is a bit hairy though. Let's say Apple builds authentication into the "SoftwareUpdate" mechanism. That doesn't stop someone from spoofing a third party software updating mechanism. It also doesn't stop someone from writing malicious software that poses as shareware. I downloaded a shareware app last week that asked for Admin privileges just so the installer could drop the application in /Applications.
And should Apple build authentication into the installer process from the ground up, everyone will be wringing their hands with concerns about how Apple selects who gets signed. It will strongly resemble the code signing thing Microsoft said it would start doing in future versions of Windows. (Though, I'm more apt to trust Apple to 'do the right thing' when it comes to *not* stifling the competition.)
Even then, a malicious code writer could craft an install process that 'looks' like Apple's long enough to get a password and then pipe it to sudo with something like java.lang.Runtime.exec(). Anybody that thinks Apple should/will have a solution to this problem in a few days really ought to rethink the problem a bit. It has as much to do with educating end users about code signing, security, privileges, and encryption as it does with any software fix Apple finally does produce.
The irony here is this isn't a problem until an end user enters a password and clicks "OK". It isn't automatic like some javascript launched Outlook attachment. Whoever posted this 'testing' software could have done the same with Windows, or one of a thousand other auto-updating programs on the net, but chose Apple. Why? In my estimation he is tired about hearing how secure and virus free Macs are.
There is a very simple workaround. Just add the following line to your /etc/hosts
/etc/hosts file but, I'm pretty sure that you people (/.ers) know how to do this already.
204.179.120.93 swquery.apple.com
Now if somebody tries the DNS attack it won't work as we hardcoded swquery.apple.com -> 204.179.120.93 You will of course have to activate your
I know I'm going to hell, I'm just trying to get good seats.
not to enable automatic updating.
I am a believer of momentum and curves.
MacOS X doesn't use the hosts file except in single-user mode, but once you've changed the /etc/hosts file you can update the NetInfo database like so:
/etc/hosts
sudo niload hosts /
-- thinkyhead software and media
Remind me why Microsoft's system ISN'T vulnerable to this?? If anything, it's more vulnerable, because a) people know about it and b) it's statistically certain there are exploitable holes in the update code.
Save time now so you can waste it later
They could be running it with Web Objects on Solaris, couldn't they?
Or what are you suggesting that I don't understand?
GPL Deconstructed
I never said it was a "'solution'" I said it was a workaround. If they could do all that they could easly spoof off Verisign and then HTTPS is fucked also. So whats your point?
I know I'm going to hell, I'm just trying to get good seats.
Troll? No, just disagreeing that this minor security flaw is a huge threat to the individual home user. Even if I did install this theoretical trojan horse(a big if), it's not going to do a great deal of damage without Root access, which I've not enabled, and my credit card numbers and SSN's are nowhere to be found on my hard drive. Unlike you, I'm also posting with my real name. I suppose a pissed hacker might use that info to try and DoS me, but that's all he could do to me. It'd give me more time for Warcraft III, once my copy arrives. ;-)
"Common Sense Ain't" -Unknown
Well, according to this chart, Apple was hosting their websites on Solaris machines until late 2000. It looks like instead of just trashing the machines, Apple shuffled them off into the back rooms to handle lesser duties like SU and such.
I think this is a good idea, as 1) the machines are still good, and 2) it saves resources by using them as long as possible. Apple's server forays are still relatively new (and against the spirit of building personal computers), so it's natural that they'd had somebody else's boxen.
Actually, I think Apple could use some sort of authentication or digitally sign their updates. That seems to be the general consensus.
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
Oh, but only if you're on my campus network.
omnia tua castra sunt nobis
and one serious screw up of a installation app....is that the best you can muster after a year?
Keep going, Apple. Maybe someday you'll be taken seriously as a operating system company and have thousands.
Or at LEAST ship with one hole that you know about with Jagwire... that would probably jump start your reputation.
guns kill people like spoons make Rosie O'Donnell fat.
CHORUS:
Signs Signs Everywhere there's signs
Blocking up the scenery Breaking up my mind
Do this Don't do that Can't you read the sign?
And the sign says "Anybody caught trespassing will be shot on sight"...
I'm not an expert on these things... /. !!! )
...but could someone tell me why in an otherwise pretty secure and tight implementation of the rollout of OSX over the past 1+ year would Apple overlook something so seemingly obvious?
(I know - then get off'a
Any theories (besides the one I read elsewhere that "steve was fresh from graduation from assclown school" -Techfocus)?
And what's an assclown? I can't recall seeing one.
Cake or Death? Cake Please!
the def
I swear I didn't know. I guess I was a... dammit!
Cake or Death? Cake Please!
The vulnerability discussed above has now been addressed by an from Apple. I would say pretty fast work--the exploit page on
It's clear that Apple has a security focus now--although they may not always get it right out of the box, they have responded quickly to the last 3 major holes, patching the system in days, not weeks.
--
$tar -xvf
The key will be to watch how quckly (or how slowly!) they respond with an appropriate fix. If it takes two weeks, that's bad. -- me, 5 days ago
It's been five days and it seems the fix has been issued. I wonder if there will be a followup story where we can all go "gee, Apple handled that fairly well"?
You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
you might as well post a fix that is actually LESS of a kludge than who you're insulting.
Um, software update does effectively run with root access. How do you think it patches system files? So you're effectively giving root access to anyone who exploits it.
Now is it *likely* that anyone would do this to you specifically? Not really. But this is a terrible way to think about computer security. The fact is you don't know what creative ways someone might come up with to exploit this hole. The fact that you can't think of an exploit that will work against you doesn't mean there isn't one-- if the software is exploitable, all that's needed is a bit of social engineering to find a way to make use of it in the real world.
The "who would hack little old me" argument might have worked 5 years ago when there were relatively few people on the 'net and most of them were responsible adults. But these days the 'net is swarming with script kiddies, and if a vulnerability appears it's likely to be exploited quickly and in parallel.
I'll grant that in this particular case, it seems unlikely that there's any way this could be exploited without access to your local network, which presumably is secure. But it's never a good idea to rely on such assumptions-- there are many examples where minor holes were discovered, were poo-pooed by the authorities, and were later discovered to be major holes because of a clever exploit no one thought of. That could happen in this case as well-- someone might figure out a way to trick your Mac into connecting to someone other than Apple.