Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Update Vulnerability

Posted by pudge on from the oh-goody dept.

redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

6 of 92 comments (clear)

  1. Re:It's not a bug, it's a feature! by foobar104 · · Score: 3, Informative

    Rather than going through the agony of installing sshd on each and every client computer....

    Not to be pedantic, but each and every client computer already has sshd on it. It's a part of OS X.

  2. Re:True Of All Updaters by Anonymous Coward · · Score: 3, Informative

    what are you talking about? red carpet verifies the gpg signatures on rpms before installing them. i suspect windows update does something similar.

  3. Re:It's not a bug, it's a feature! by AllInOne · · Score: 3, Informative

    VersionTracker Pro provides essentially this feature already...

    I haven't used it since it went out of free beta but it is a pretty neat tool for folks who are truly addicted to having the latest version of any software.

  4. No workaround my @$$ by red5 · · Score: 4, Informative

    There is a very simple workaround. Just add the following line to your /etc/hosts

    204.179.120.93 swquery.apple.com

    Now if somebody tries the DNS attack it won't work as we hardcoded swquery.apple.com -> 204.179.120.93 You will of course have to activate your /etc/hosts file but, I'm pretty sure that you people (/.ers) know how to do this already.

    --
    I know I'm going to hell, I'm just trying to get good seats.
  5. The NetInfo method by Slur · · Score: 4, Informative

    MacOS X doesn't use the hosts file except in single-user mode, but once you've changed the /etc/hosts file you can update the NetInfo database like so:

    sudo niload hosts / /etc/hosts

    --
    -- thinkyhead software and media
    1. Re:The NetInfo method by red5 · · Score: 4, Informative

      Okay looks like I assumed wrong (you don't all know). You can activate your /etc/hosts file by setting /locations/lookupd/hosts/LookupOrder -> ( CacheAgent, FFAgent, NIAgent, YPAgent, DNSAgent, NILAgent ) in netinfo.

      Simply copy this file to lookupd.txt. Then type:
      niload -r /locations/lookupd / < lookupd.txt

      Yes, I "stole" all of this from this page. Except mine is modifyed to activate the /etc/hosts file also.

      --
      I know I'm going to hell, I'm just trying to get good seats.