Software Update Vulnerability

redmoss writes "I just saw this exploit for Software Update on Bugtraq. Quoting the discoverer Russell Harding: 'Mac OS X includes a software updating mechanism 'Software Update.' Software Update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well-known techniques, such as DNS Spoofing, or DNS Cache Poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple.' Looks like people using Software Update need to be careful, as there is currently no workaround." Well, one workaround for this particular exploit is to not share a LAN with someone who would do that sort of thing.

No workaround my @$$

[red5]

There is a very simple workaround. Just add the following line to your /etc/hosts

204.179.120.93 swquery.apple.com

Now if somebody tries the DNS attack it won't work as we hardcoded swquery.apple.com -> 204.179.120.93 You will of course have to activate your /etc/hosts file but, I'm pretty sure that you people (/.ers) know how to do this already.

The NetInfo method

[Slur]

MacOS X doesn't use the hosts file except in single-user mode, but once you've changed the /etc/hosts file you can update the NetInfo database like so:

sudo niload hosts / /etc/hosts

Re:The NetInfo method

[red5]

Okay looks like I assumed wrong (you don't all know). You can activate your /etc/hosts file by setting /locations/lookupd/hosts/LookupOrder -> ( CacheAgent, FFAgent, NIAgent, YPAgent, DNSAgent, NILAgent ) in netinfo.

Simply copy this file to lookupd.txt. Then type:
niload -r /locations/lookupd / < lookupd.txt

Yes, I "stole" all of this from this page. Except mine is modifyed to activate the /etc/hosts file also.