Slashdot Mirror
Software Update Vulnerability
redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.
Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.
You mean like the thousands of users on my cable network that I share a DNS server with? I'm not sure I trust them too much, but I can't really do much about that.
Is your browser retarded?
This is an old trick. Remember the stink raised recently about users 'uncapping' their cable modems? Same idea. It's a problem here primarily because the install runs as root.
The solution is a bit hairy though. Let's say Apple builds authentication into the "SoftwareUpdate" mechanism. That doesn't stop someone from spoofing a third party software updating mechanism. It also doesn't stop someone from writing malicious software that poses as shareware. I downloaded a shareware app last week that asked for Admin privileges just so the installer could drop the application in /Applications.
And should Apple build authentication into the installer process from the ground up, everyone will be wringing their hands with concerns about how Apple selects who gets signed. It will strongly resemble the code signing thing Microsoft said it would start doing in future versions of Windows. (Though, I'm more apt to trust Apple to 'do the right thing' when it comes to *not* stifling the competition.)
Even then, a malicious code writer could craft an install process that 'looks' like Apple's long enough to get a password and then pipe it to sudo with something like java.lang.Runtime.exec(). Anybody that thinks Apple should/will have a solution to this problem in a few days really ought to rethink the problem a bit. It has as much to do with educating end users about code signing, security, privileges, and encryption as it does with any software fix Apple finally does produce.
The irony here is this isn't a problem until an end user enters a password and clicks "OK". It isn't automatic like some javascript launched Outlook attachment. Whoever posted this 'testing' software could have done the same with Windows, or one of a thousand other auto-updating programs on the net, but chose Apple. Why? In my estimation he is tired about hearing how secure and virus free Macs are.
Troll? No, just disagreeing that this minor security flaw is a huge threat to the individual home user. Even if I did install this theoretical trojan horse(a big if), it's not going to do a great deal of damage without Root access, which I've not enabled, and my credit card numbers and SSN's are nowhere to be found on my hard drive. Unlike you, I'm also posting with my real name. I suppose a pissed hacker might use that info to try and DoS me, but that's all he could do to me. It'd give me more time for Warcraft III, once my copy arrives. ;-)
"Common Sense Ain't" -Unknown