Software Update Vulnerability

redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

True Of All Updaters

[dthable]

This is true of all those Automatic Update tools, including Red Carpet and Windows Update. They all use DNS to find the software on the Net and then install the modules without too much fuss. The only real work around is to know what you're installing. Download from what you believe to be the correct source, always look for a public verification key and then install it.

Re:True Of All Updaters

what are you talking about? red carpet verifies the gpg signatures on rpms before installing them. i suspect windows update does something similar.

Re:It's not a bug, it's a feature!

[foobar104]

Rather than going through the agony of installing sshd on each and every client computer....

Not to be pedantic, but each and every client computer already has sshd on it. It's a part of OS X.

Re:It's not a bug, it's a feature!

[AllInOne]

VersionTracker Pro provides essentially this feature already...

I haven't used it since it went out of free beta but it is a pretty neat tool for folks who are truly addicted to having the latest version of any software.

No workaround my @$$

[red5]

There is a very simple workaround. Just add the following line to your /etc/hosts

204.179.120.93 swquery.apple.com

Now if somebody tries the DNS attack it won't work as we hardcoded swquery.apple.com -> 204.179.120.93 You will of course have to activate your /etc/hosts file but, I'm pretty sure that you people (/.ers) know how to do this already.

Re:No workaround my @$$

[usr122122121]

Why not just do it in NetInfo?

1) open it up /Applications/Utilities/NetInfo Manager
2) click the lock to authenticate.
3) use the browser to go to /machines/
4) click the "Create New Directory" button.
5) modify the new directory you just made to have these attributes:
key:ip_address value:204.179.120.93
key:name value:swquery.apple.com
key:serves value:./local
6) save the modified netinfo database. it will ask you if you "REALLY" want to do it. if you're sure, agree.

The NetInfo method

[Slur]

MacOS X doesn't use the hosts file except in single-user mode, but once you've changed the /etc/hosts file you can update the NetInfo database like so:

sudo niload hosts / /etc/hosts

Re:The NetInfo method

[red5]

Okay looks like I assumed wrong (you don't all know). You can activate your /etc/hosts file by setting /locations/lookupd/hosts/LookupOrder -> ( CacheAgent, FFAgent, NIAgent, YPAgent, DNSAgent, NILAgent ) in netinfo.

Simply copy this file to lookupd.txt. Then type:
niload -r /locations/lookupd / < lookupd.txt

Yes, I "stole" all of this from this page. Except mine is modifyed to activate the /etc/hosts file also.