Software Update Vulnerability

redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

Not Sharing a LAN?

[Jeremiah+Cornelius]

I guess Pudge's "Not sharing a LAN with someone who'd do that was meant to be enclosed in tags!

<sarcasm>

Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

</sarcasm>

These exploit techniques could be used by a good blackhat to affect everyone on, let's say Rogers Cable, in a specific geographic region. Face, it: since this became a one-protocol world with fat pipes, we all trust upstream.

Are you big enough for your home DNS to point only at root?

Re:Wouldn't work on me, or most net-savvy Mac user

[Alex+Thorpe]

A trojan that's the same size as an OS update? I'd think that a trojan wouldn't need more than a few kilobytes to do its damage. Many major updates in X even give you the EULA before the download starts. I doubt many Trojan authors would duplicate that.

Bug Fix

[cappadocius]

Luckily there's a bug fix! Just go to Software Update right now to get it.

Oh, but only if you're on my campus network.