Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Update Vulnerability

Posted by pudge on from the oh-goody dept.

redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

9 of 92 comments (clear)

  1. It's not a bug, it's a feature! by tristan-b · · Score: 3, Interesting

    Software Update is convinent, but it only allows you to update Apple software (and the occasional IE bug fix). This bug could just as easily be exploited to allow for a Mac computer lab to auto-update third party software, reducing the hassle of network-wide installs, and potentialy making the lab more secure by fixing bugs in other softare. Apple should provide this option, IMHO.

    1. Re:It's not a bug, it's a feature! by medcalf · · Score: 3, Interesting

      It would be nice if SU did provide a feature so that third parties could register their software with SU, and it could then be kept up to date transparently. Of course, this would only be a feature if the user got to pick the non-Apple software to be updated. Having a method where some client I install sets up SU to automatically keep spyware updated, and not telling me about it, would be most unpleasant.

      --
      -- Two men say they're Jesus. One of them must be wrong. - Dire Straits
    2. Re:It's not a bug, it's a feature! by tps12 · · Score: 2, Interesting

      I agree, this could be invaluable to sys admins.

      Rather than going through the agony of installing sshd on each and every client computer, and then writing a bash script to scp updated files as necessary, just have each client poll a central http server (hidden from the Internet by a firewall, of course) for bug updates. Then you just need one person at each workstation to click "okay" and install the thing.

      Just because the Mac is now Unix-based, doesn't mean we should give up the ease of use and convenience that made the Mac great in the first place.

      --

      Karma: Good (despite my invention of the Karma: sig)
  2. Wouldn't work on me, or most net-savvy Mac users. by Alex+Thorpe · · Score: 2, Interesting

    The Mac news sites are very thorough, and I always read about new updates before I see them on Software Update. Also, I don't install everything listed. I've marked as inactive several foreign language updates, and some AirPort updates, as I only speak English and don't have an AirPort card.

    --
    "Common Sense Ain't" -Unknown
  3. Re:Wouldn't work on me, or most net-savvy Mac user by tristan-b · · Score: 3, Interesting

    Or would it? All you'd have to do is wait for a legitimate update to be released and mask your software as that update (same filename/size/desc). The end user would have no idea they weren't updating to OS 10.1.6, but rather installing a trojan. Software Update is a trusted source for most users.

  4. "Easy" solution by bnenning · · Score: 3, Interesting

    Apple should sign all updates and Software Update should verify what it downloads against Apple's public key. An attacker would then have to modify the copy of Apple's public key on the victim's machine, or modify Software Update to disable the check, both of which would presumably require root privileges. Still not perfect, but an improvement.

    --
    How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
  5. Re:True Of All Updaters by phyxeld · · Score: 3, Interesting
    The only real work around is to know what you're installing. Download from what you believe to be the correct source, always look for a public verification key and then install it.

    1. I believe swscan.apple.com to be the correct source. The point is, that could be made to resolve to a different, hostile, IP address.

    2. A public verification key? From apple? See, thats the problem. They don't do that currently. When they start to, they'll probably build it into the software update system, like they should have in the first place.

    An interesting sidenote: I've been sniffing some SU traffic after reading all this, and noticed some interesting HTTP headers:
    Accept-Ranges: bytes
    Date: Mon, 08 Jul 2002 07:01:41 GMT
    Content-Length: 7286
    Content-Type: text/plain
    Server: Netscape-Enterprise/3.6 SP3
    Etag: "ea810-1c76-3d20f5eb"
    Last-modified: Tue, 02 Jul 2002 00:38:03 GMT
    Via: 1.1 netcache04 (NetCache NetApp/5.2R1D8)
    Looks like Apple doesn't practice what they preach in terms of server software. :)
    And wtf is that NetApp cache bullshit? Does everyone see that, or am I being transparently proxied somewhere?! OK, just checked some other stuff, the NetApp cache header is only present on my SoftwareUpdate connections. Something on apple's end? Does everybody see this?

    (fwiw i'm using the incredibly simple tcpflow to watch my tcp traffic. ethereal is cooler, and lets me see non-tcp traffic too, but the current mac (fink) version has a very high suck factor. Sometimes ICMP packets don't show up, streams can almost never be reconstructed entirely, etc etc. Moving capture files off the mac over to a linux or bsd box for analysis is the only way I can seem to use ethereal for much of anything.)
    --
    __
    Choose mnemonic identifiers. If you can't remember what mnemonic means, you've got a problem. - Larry Wall
  6. Looks bad. How rapid a response? by feldsteins · · Score: 3, Interesting

    Apple appears to have blundered, although I am still watching for further news on how bad. The key will be to watch how quckly (or how slowly!) they respond with an appropriate fix. If it takes two weeks, that's bad. If it takes 3 days I'm not going to complain about that. We'll see what happens. Until then, no SW update for me.

    Meanwhile I actually sent Apple an email describing the problem and asking for a public advisory and a fix ASAP. Just doing my part.

    --
    You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
  7. Re:What's wrong with Netscape-Enterprise server? by batobin · · Score: 3, Interesting

    Are you serious? Doesn't Apple advertise that Xserve is the perfect server for mission critical purposes? You must be either kidding (which i hope is the case), or smoking crack, man.

    Why did Apple add hotswap drives, advanced monitoring tools, and 24/7 technical support? For shits and giggles? Why did they add REDUNDANT disk arrays? To impress the ladies? Why do they advertise this box to hardcore sys admins? Because they want sys admints to buy it. Do sys admins rely on boxes to handle mission critical operations? Yes. Is that not PREACHING?

    Why, yes, it is.