Slashdot Mirror

← Back to Stories (view on slashdot.org)

Software Update Vulnerability

Posted by pudge on from the oh-goody dept.

redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

52 of 92 comments (clear)

  1. It's not a bug, it's a feature! by tristan-b · · Score: 3, Interesting

    Software Update is convinent, but it only allows you to update Apple software (and the occasional IE bug fix). This bug could just as easily be exploited to allow for a Mac computer lab to auto-update third party software, reducing the hassle of network-wide installs, and potentialy making the lab more secure by fixing bugs in other softare. Apple should provide this option, IMHO.

    1. Re:It's not a bug, it's a feature! by medcalf · · Score: 3, Interesting

      It would be nice if SU did provide a feature so that third parties could register their software with SU, and it could then be kept up to date transparently. Of course, this would only be a feature if the user got to pick the non-Apple software to be updated. Having a method where some client I install sets up SU to automatically keep spyware updated, and not telling me about it, would be most unpleasant.

      --
      -- Two men say they're Jesus. One of them must be wrong. - Dire Straits
    2. Re:It's not a bug, it's a feature! by tps12 · · Score: 2, Interesting

      I agree, this could be invaluable to sys admins.

      Rather than going through the agony of installing sshd on each and every client computer, and then writing a bash script to scp updated files as necessary, just have each client poll a central http server (hidden from the Internet by a firewall, of course) for bug updates. Then you just need one person at each workstation to click "okay" and install the thing.

      Just because the Mac is now Unix-based, doesn't mean we should give up the ease of use and convenience that made the Mac great in the first place.

      --

      Karma: Good (despite my invention of the Karma: sig)
    3. Re:It's not a bug, it's a feature! by foobar104 · · Score: 3, Informative

      Rather than going through the agony of installing sshd on each and every client computer....

      Not to be pedantic, but each and every client computer already has sshd on it. It's a part of OS X.

    4. Re:It's not a bug, it's a feature! by Gogo+Dodo · · Score: 2

      If you're in a lab environment, Macintosh Manager and NetBoot should be able to help with the software distribution problem.

    5. Re:It's not a bug, it's a feature! by AllInOne · · Score: 3, Informative

      VersionTracker Pro provides essentially this feature already...

      I haven't used it since it went out of free beta but it is a pretty neat tool for folks who are truly addicted to having the latest version of any software.

    6. Re:It's not a bug, it's a feature! by foobar104 · · Score: 2

      I would use rsync inside ssh to automatically sync to a referance machine.

      How do you plan to install software or preload libraries using rsync?

  2. Wouldn't work on me, or most net-savvy Mac users. by Alex+Thorpe · · Score: 2, Interesting

    The Mac news sites are very thorough, and I always read about new updates before I see them on Software Update. Also, I don't install everything listed. I've marked as inactive several foreign language updates, and some AirPort updates, as I only speak English and don't have an AirPort card.

    --
    "Common Sense Ain't" -Unknown
  3. True Of All Updaters by dthable · · Score: 2, Informative

    This is true of all those Automatic Update tools, including Red Carpet and Windows Update. They all use DNS to find the software on the Net and then install the modules without too much fuss. The only real work around is to know what you're installing. Download from what you believe to be the correct source, always look for a public verification key and then install it.

    1. Re:True Of All Updaters by Anonymous Coward · · Score: 3, Informative

      what are you talking about? red carpet verifies the gpg signatures on rpms before installing them. i suspect windows update does something similar.

    2. Re:True Of All Updaters by phyxeld · · Score: 3, Interesting
      The only real work around is to know what you're installing. Download from what you believe to be the correct source, always look for a public verification key and then install it.

      1. I believe swscan.apple.com to be the correct source. The point is, that could be made to resolve to a different, hostile, IP address.

      2. A public verification key? From apple? See, thats the problem. They don't do that currently. When they start to, they'll probably build it into the software update system, like they should have in the first place.

      An interesting sidenote: I've been sniffing some SU traffic after reading all this, and noticed some interesting HTTP headers:
      Accept-Ranges: bytes
      Date: Mon, 08 Jul 2002 07:01:41 GMT
      Content-Length: 7286
      Content-Type: text/plain
      Server: Netscape-Enterprise/3.6 SP3
      Etag: "ea810-1c76-3d20f5eb"
      Last-modified: Tue, 02 Jul 2002 00:38:03 GMT
      Via: 1.1 netcache04 (NetCache NetApp/5.2R1D8)
      Looks like Apple doesn't practice what they preach in terms of server software. :)
      And wtf is that NetApp cache bullshit? Does everyone see that, or am I being transparently proxied somewhere?! OK, just checked some other stuff, the NetApp cache header is only present on my SoftwareUpdate connections. Something on apple's end? Does everybody see this?

      (fwiw i'm using the incredibly simple tcpflow to watch my tcp traffic. ethereal is cooler, and lets me see non-tcp traffic too, but the current mac (fink) version has a very high suck factor. Sometimes ICMP packets don't show up, streams can almost never be reconstructed entirely, etc etc. Moving capture files off the mac over to a linux or bsd box for analysis is the only way I can seem to use ethereal for much of anything.)
      --
      __
      Choose mnemonic identifiers. If you can't remember what mnemonic means, you've got a problem. - Larry Wall
    3. Re:True Of All Updaters by TheAJofOZ · · Score: 2
      what are you talking about? red carpet verifies the gpg signatures on rpms before installing them. i suspect windows update does something similar.

      erm, except the gpg signature comes from the same person supplying the malicious file..... oops.

  4. Right... by Clue4All · · Score: 2, Insightful

    Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

    You mean like the thousands of users on my cable network that I share a DNS server with? I'm not sure I trust them too much, but I can't really do much about that.

    --

    Is your browser retarded?
  5. Re:Wouldn't work on me, or most net-savvy Mac user by tristan-b · · Score: 3, Interesting

    Or would it? All you'd have to do is wait for a legitimate update to be released and mask your software as that update (same filename/size/desc). The end user would have no idea they weren't updating to OS 10.1.6, but rather installing a trojan. Software Update is a trusted source for most users.

  6. Not Sharing a LAN? by Jeremiah+Cornelius · · Score: 3, Funny
    I guess Pudge's "Not sharing a LAN with someone who'd do that was meant to be enclosed in tags!
    <sarcasm>
    Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.
    </sarcasm>

    These exploit techniques could be used by a good blackhat to affect everyone on, let's say Rogers Cable, in a specific geographic region. Face, it: since this became a one-protocol world with fat pipes, we all trust upstream.

    Are you big enough for your home DNS to point only at root?

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  7. we already have that by g4dget · · Score: 2
    It's called "Fink" and "apt-get". You can configure your sources for apt-get in whatever way you like.

    Granted, it's still a bit shaky on Macintosh OS X, but it's getting better.

  8. "Easy" solution by bnenning · · Score: 3, Interesting

    Apple should sign all updates and Software Update should verify what it downloads against Apple's public key. An attacker would then have to modify the copy of Apple's public key on the victim's machine, or modify Software Update to disable the check, both of which would presumably require root privileges. Still not perfect, but an improvement.

    --
    How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
  9. Looks bad. How rapid a response? by feldsteins · · Score: 3, Interesting

    Apple appears to have blundered, although I am still watching for further news on how bad. The key will be to watch how quckly (or how slowly!) they respond with an appropriate fix. If it takes two weeks, that's bad. If it takes 3 days I'm not going to complain about that. We'll see what happens. Until then, no SW update for me.

    Meanwhile I actually sent Apple an email describing the problem and asking for a public advisory and a fix ASAP. Just doing my part.

    --
    You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
  10. No easy fixes... by MacDork · · Score: 2, Insightful

    This is an old trick. Remember the stink raised recently about users 'uncapping' their cable modems? Same idea. It's a problem here primarily because the install runs as root.

    The solution is a bit hairy though. Let's say Apple builds authentication into the "SoftwareUpdate" mechanism. That doesn't stop someone from spoofing a third party software updating mechanism. It also doesn't stop someone from writing malicious software that poses as shareware. I downloaded a shareware app last week that asked for Admin privileges just so the installer could drop the application in /Applications.

    And should Apple build authentication into the installer process from the ground up, everyone will be wringing their hands with concerns about how Apple selects who gets signed. It will strongly resemble the code signing thing Microsoft said it would start doing in future versions of Windows. (Though, I'm more apt to trust Apple to 'do the right thing' when it comes to *not* stifling the competition.)

    Even then, a malicious code writer could craft an install process that 'looks' like Apple's long enough to get a password and then pipe it to sudo with something like java.lang.Runtime.exec(). Anybody that thinks Apple should/will have a solution to this problem in a few days really ought to rethink the problem a bit. It has as much to do with educating end users about code signing, security, privileges, and encryption as it does with any software fix Apple finally does produce.

    The irony here is this isn't a problem until an end user enters a password and clicks "OK". It isn't automatic like some javascript launched Outlook attachment. Whoever posted this 'testing' software could have done the same with Windows, or one of a thousand other auto-updating programs on the net, but chose Apple. Why? In my estimation he is tired about hearing how secure and virus free Macs are.

    1. Re:No easy fixes... by Wesley+Felter · · Score: 2

      And should Apple build authentication into the installer process from the ground up, everyone will be wringing their hands with concerns about how Apple selects who gets signed.

      I doubt it, since Software Update is only used to update Mac OS itself.

      It will strongly resemble the code signing thing Microsoft said it would start doing in future versions of Windows.

      Not really, since MS is talking about requiring code to be signed, while we're talking about having Apple sign updates for their own software. Debian signs their updates, right? Does that make them evil, too?

    2. Re:No easy fixes... by foniksonik · · Score: 2

      "Anybody that thinks Apple should/will have a solution to this problem in a few days really ought to rethink the problem a bit."

      It is entirely possible on the other hand that they have been addressing this issue for the last several months while developing OS X 10.2 and that the fix is right around the corner. Maybe not a few days but within a few weeks is reasonable. Especially as they are looking for high marks from the government regarding security.

      --
      A fool throws a stone into a well and a thousand sages can not remove it.
  11. No workaround my @$$ by red5 · · Score: 4, Informative

    There is a very simple workaround. Just add the following line to your /etc/hosts

    204.179.120.93 swquery.apple.com

    Now if somebody tries the DNS attack it won't work as we hardcoded swquery.apple.com -> 204.179.120.93 You will of course have to activate your /etc/hosts file but, I'm pretty sure that you people (/.ers) know how to do this already.

    --
    I know I'm going to hell, I'm just trying to get good seats.
    1. Re:No workaround my @$$ by jquirke · · Score: 2

      That's a nifty 'solution' but it doesn't prevent someone from spoofing the traffic from that particular IP address. So someone could pretend to be 204.179.120.93

    2. Re:No workaround my @$$ by batobin · · Score: 2

      I think the point was that it made things a lot harder. DNS servers are relatively easy to hack, compared to spoofing someone else's IP address.

      Obviously the workaround isn't perfect. What if apple changes the IP of their update server? What if they use akamai to host the updates, and the IP that was posted is actually some server halfway around the globe from you?

      It's not perfect, but give the man some credit for being creative, will ya? :)

    3. Re:No workaround my @$$ by Silas · · Score: 2
      There is a very simple workaround. Just add the following line to your /etc/hosts
      204.179.120.93 swquery.apple.com

      Oh, sure, and we're just supposed to trust that your DNS hasn't already been poisoned? :)

    4. Re:No workaround my @$$ by usr122122121 · · Score: 2, Informative
      Why not just do it in NetInfo?

      1) open it up /Applications/Utilities/NetInfo Manager
      2) click the lock to authenticate.
      3) use the browser to go to /machines/
      4) click the "Create New Directory" button.
      5) modify the new directory you just made to have these attributes:
      key:ip_address value:204.179.120.93
      key:name value:swquery.apple.com
      key:serves value:./local
      6) save the modified netinfo database. it will ask you if you "REALLY" want to do it. if you're sure, agree.

      --

      -braxton
    5. Re:No workaround my @$$ by red5 · · Score: 2

      Because I'm a unix guy damn it!.
      Take that newfangeled netinfo thingy and give my my flat files anyday. :)

      --
      I know I'm going to hell, I'm just trying to get good seats.
    6. Re:No workaround my @$$ by gr · · Score: 2

      As I posted on Bugtraq, no, that doesn't fix shit. Because I just arp flood your router, spoof the IP address, and you lose.

      Updates must be at least checksummed and really should also be cryptographically signed. Period.

      --
      Do you have a /. uid shorter than five digits? No? Then piss off.
  12. The NetInfo method by Slur · · Score: 4, Informative

    MacOS X doesn't use the hosts file except in single-user mode, but once you've changed the /etc/hosts file you can update the NetInfo database like so:

    sudo niload hosts / /etc/hosts

    --
    -- thinkyhead software and media
    1. Re:The NetInfo method by 2nd+Post! · · Score: 2

      Doesn't seem to work for me. There are two spaces between / and /etc/hosts as well?

      --

      GPL Deconstructed
    2. Re:The NetInfo method by red5 · · Score: 4, Informative

      Okay looks like I assumed wrong (you don't all know). You can activate your /etc/hosts file by setting /locations/lookupd/hosts/LookupOrder -> ( CacheAgent, FFAgent, NIAgent, YPAgent, DNSAgent, NILAgent ) in netinfo.

      Simply copy this file to lookupd.txt. Then type:
      niload -r /locations/lookupd / < lookupd.txt

      Yes, I "stole" all of this from this page. Except mine is modifyed to activate the /etc/hosts file also.

      --
      I know I'm going to hell, I'm just trying to get good seats.
    3. Re:The NetInfo method by foniksonik · · Score: 2

      Read the articles about netinfo if you don't KNOW what you are doing here. You could royally screw your system. AND for real, MAKE a BACKUP! of the database before you do anything.

      --
      A fool throws a stone into a well and a thousand sages can not remove it.
  13. What's wrong with Netscape-Enterprise server? by 2nd+Post! · · Score: 2

    They could be running it with Web Objects on Solaris, couldn't they?

    Or what are you suggesting that I don't understand?

    --

    GPL Deconstructed
    1. Re:What's wrong with Netscape-Enterprise server? by batobin · · Score: 2

      I think what he's suggesting is that Apple should be hosting with their own hardware. If Microsoft gave their employees Macs, with OS X installed, with Internet Explorer, the same questions would be raised.

      In other words, possibly having just 1 piece of Apple software doesn't make it all OK. Hence, they're not practicing what they preach.

    2. Re:What's wrong with Netscape-Enterprise server? by 2nd+Post! · · Score: 2

      Considering that they don't have the hardware to run such a server (yet), it's not unreasonable to be running on Solaris hardware at all.

      --

      GPL Deconstructed
    3. Re:What's wrong with Netscape-Enterprise server? by Refrag · · Score: 2

      Apple doesn't preach using Apple hardware for mission critical server operations.

      --
      I have a website. It's about Macs.
    4. Re:What's wrong with Netscape-Enterprise server? by batobin · · Score: 3, Interesting

      Are you serious? Doesn't Apple advertise that Xserve is the perfect server for mission critical purposes? You must be either kidding (which i hope is the case), or smoking crack, man.

      Why did Apple add hotswap drives, advanced monitoring tools, and 24/7 technical support? For shits and giggles? Why did they add REDUNDANT disk arrays? To impress the ladies? Why do they advertise this box to hardcore sys admins? Because they want sys admints to buy it. Do sys admins rely on boxes to handle mission critical operations? Yes. Is that not PREACHING?

      Why, yes, it is.

    5. Re:What's wrong with Netscape-Enterprise server? by Refrag · · Score: 2

      I don't see anything here indicating that they intended for the Xserve to be used for mission critical applications.

      --
      I have a website. It's about Macs.
  14. workaround != solution. by red5 · · Score: 2

    I never said it was a "'solution'" I said it was a workaround. If they could do all that they could easly spoof off Verisign and then HTTPS is fucked also. So whats your point?

    --
    I know I'm going to hell, I'm just trying to get good seats.
    1. Re:workaround != solution. by jquirke · · Score: 2

      My original post was taken the wrong way.

      It was not an attack on your idea, sir.

      I was merely pointing out to others who may have interpreted it as a solution and felt they were safe that this did not eliminate the vulnerability.

      --jquirke

    2. Re:workaround != solution. by ConsumedByTV · · Score: 2

      Actually you're mistaken.

      To spoof verisign and https it would require that you have a valid cert(yes it is possible to make them).To spoof a connection that used a false cert would alert the user to that fact. The fact of the matter is that apple swupdate doesnt even use SSL! So it doesn't matter if you can spoof SSL. This is why redhat up2date uses gpg, because if it is spoofed, they cant SIGN the packages! AND YOU KNOW YOU HAVE BEEN HACKED! Because you can't prevent the hack with the way the internet works! You can detect if the programmers who made the system are semi security minded.

      Apple is not that.

      --


      "Not my manner of thinking but the manner of thinking of others has been the source of my unhappiness." - M
    3. Re:workaround != solution. by red5 · · Score: 2

      To spoof verisign and https it would require that you have a valid cert(yes it is possible to make them).To spoof a connection that used a false cert would alert the user to that fact. The fact of the matter is that apple swupdate doesn't even use SSL! So it doesn't matter if you can spoof SSL.

      The story says that the vulnerable is because apple uses http and not https. My point was that if you can spoof IPs you cloud easly spoof both the https server IP and the signing authorities IP. Thus bypassing any https connection. Unless public keys for all the signing authorities are included with every https implementation.

      Anyhow it's a workaround. It workaround this exploit. Hopefully apple will update software update to use crypto signed packages and SSL connections. Till then I'm keeping the line in my /etc/hosts and checking every update first.

      --
      I know I'm going to hell, I'm just trying to get good seats.
    4. Re:workaround != solution. by red5 · · Score: 2

      I wasn't affeneded at all. Not quite sure what made you think that. Perhaps it's the '!' in the subject line.

      Wow, getting called "sir" I feel all giddy now. :)

      And yes you're right it wont be fully secure till they have cripto singned updates.

      --
      I know I'm going to hell, I'm just trying to get good seats.
  15. Re:Wouldn't work on me, or most net-savvy Mac user by Alex+Thorpe · · Score: 2, Insightful

    Troll? No, just disagreeing that this minor security flaw is a huge threat to the individual home user. Even if I did install this theoretical trojan horse(a big if), it's not going to do a great deal of damage without Root access, which I've not enabled, and my credit card numbers and SSN's are nowhere to be found on my hard drive. Unlike you, I'm also posting with my real name. I suppose a pissed hacker might use that info to try and DoS me, but that's all he could do to me. It'd give me more time for Warcraft III, once my copy arrives. ;-)

    --
    "Common Sense Ain't" -Unknown
  16. Re: Apple Servers by Saint+Fnordius · · Score: 2

    Well, according to this chart, Apple was hosting their websites on Solaris machines until late 2000. It looks like instead of just trashing the machines, Apple shuffled them off into the back rooms to handle lesser duties like SU and such.

    I think this is a good idea, as 1) the machines are still good, and 2) it saves resources by using them as long as possible. Apple's server forays are still relatively new (and against the spirit of building personal computers), so it's natural that they'd had somebody else's boxen.

  17. Re:Looks bad. How rapid a response? by feldsteins · · Score: 2

    Actually, I think Apple could use some sort of authentication or digitally sign their updates. That seems to be the general consensus.

    --
    You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
  18. Bug Fix by cappadocius · · Score: 2, Funny
    Luckily there's a bug fix! Just go to Software Update right now to get it.

    Oh, but only if you're on my campus network.

    --

    omnia tua castra sunt nobis

  19. 1 possible security exploit.... by gsfprez · · Score: 2

    and one serious screw up of a installation app....is that the best you can muster after a year?

    Keep going, Apple. Maybe someday you'll be taken seriously as a operating system company and have thousands.

    Or at LEAST ship with one hole that you know about with Jagwire... that would probably jump start your reputation.

    --
    guns kill people like spoons make Rosie O'Donnell fat.
  20. Apple Has Released a Fix by Johnny+Mnemonic · · Score: 2


    The vulnerability discussed above has now been addressed by an from Apple. I would say pretty fast work--the exploit page on /. is still available for posts when the patch is released. Also, as other posters have mentioned, a number of updaters from other vendors still don't sign their updates.

    It's clear that Apple has a security focus now--although they may not always get it right out of the box, they have responded quickly to the last 3 major holes, patching the system in days, not weeks.

    --

    --
    $tar -xvf .sig.tar
  21. Re:Looks bad. How rapid a response? by feldsteins · · Score: 2

    The key will be to watch how quckly (or how slowly!) they respond with an appropriate fix. If it takes two weeks, that's bad. -- me, 5 days ago

    It's been five days and it seems the fix has been issued. I wonder if there will be a followup story where we can all go "gee, Apple handled that fairly well"?

    --
    You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
  22. If you're going to be insulting... by greygent · · Score: 2

    you might as well post a fix that is actually LESS of a kludge than who you're insulting.

  23. Re:Wouldn't work on me, or most net-savvy Mac user by binarybits · · Score: 2

    Um, software update does effectively run with root access. How do you think it patches system files? So you're effectively giving root access to anyone who exploits it.

    Now is it *likely* that anyone would do this to you specifically? Not really. But this is a terrible way to think about computer security. The fact is you don't know what creative ways someone might come up with to exploit this hole. The fact that you can't think of an exploit that will work against you doesn't mean there isn't one-- if the software is exploitable, all that's needed is a bit of social engineering to find a way to make use of it in the real world.

    The "who would hack little old me" argument might have worked 5 years ago when there were relatively few people on the 'net and most of them were responsible adults. But these days the 'net is swarming with script kiddies, and if a vulnerability appears it's likely to be exploited quickly and in parallel.

    I'll grant that in this particular case, it seems unlikely that there's any way this could be exploited without access to your local network, which presumably is secure. But it's never a good idea to rely on such assumptions-- there are many examples where minor holes were discovered, were poo-pooed by the authorities, and were later discovered to be major holes because of a clever exploit no one thought of. That could happen in this case as well-- someone might figure out a way to trick your Mac into connecting to someone other than Apple.