Apple Plugs Software Update Hole

hype7 writes "Apple's getting quick! Less than 5 days after the recently reported software update vulnerability was discovered, Apple have a patch plugging the hole. Apparently, packages now presented via the Software Update mechanism are cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing any new packages."

Re:how do you update?

No go here
http://docs.info.apple.com/article.html?artnum=7 53 04

http://docs.info.apple.com/article.html?artnum=7 53 04#checksum

Re:how do you update?

[jeffasselin]

No, actually you download it from Apple's web site and verify the integrity of the downloaded file using the instructions on the web site, using sha1 to get a checksum and compare it to the one they give there. That way you ensure the update is the right file, and from now on you can use software update securely.

Checksum info

check the authenticity of this update too

[Kevinv]

if you want to make sure this update is valid you can read the update info and verify the checksum

or for the extra paranoid, check the secure page

Re:check the authenticity of this update too

[thrig]

There was also a post to the security-announce list, signed with Apple's Product Security key, which you can verify with a live person if you really feel like it. The post contained the website notes, plus SHA1 checksum of the installer disk image. Given current security technology, Apple covered their bases quite well.

Re:Actually, it's only half-fixed...

[KFury]

and to prevent Classic from becoming its own security hole.

This wouldn't be a problem for the average user running OS X and classic, since the OS 9 version of software update wouldn't ever be launched. Only the Os X version would be activated regularly to check for updates.

True that until they patch the OS 9 version similarly there will be a lingering risk for people running OS 9 as their primary OS, but not for those using it in Classic mode.

Re:software update

[jamesoutlaw]

They've got a secure download site available.
From the software update inforrmation:
"Security Update 7-12-02 delivers a more secure Software Update service to verify that future updates originate from Apple. If you would prefer to download this manually from a secure Apple server you can download the package at http://www.info.apple.com/kbnum/n75304"
:)

Re:how do you update?

[CyberBry]

Yes, the update is available in Software Update.
Here's what the description says:

Security Update 7-12-02 delivers a more secure Software Update service to verify that future updates originate from Apple. If you would prefer to download this manually from a secure Apple server you can download the package at http://www.info.apple.com/kbnum/n75304

Just checking (Re: Funny)

Do you ever use telnet? Ever?

Do you use insecure POP3?

If either of these things is true, your passwords are flying through unprotected space every time you do either one, and you have no sane reason to complain about apple leaving apple software update with this "hole" for so long. If someone has the ability to exploit the software update "hole" mentioned here, they also have the ability to eavesdrop on all the traffic-- including passwords-- that you create when you do telnet, insecure POP3, or a number of other things.

I'd say the hypocrisy here is that we're considering it a horrendous hole that an apple network application was susceptable to man-in-the-middle attacks, but we're not, as members of the internet community as a whole, looking for ways that we can implement things such as ssh tunnelling or s/wan on a massive scale so that man-in-the-middle attacks can be wiped out at the root of the problem instead of having to be implemented individually in every single application in the universe.

New softwareupdate command

[znu]

This update also adds the command-line updating tool that comes with Xserve. See 'man softwareupdate'.

Not Quite

[Llywelyn]

Yes, so long as the means of communicating the checksum are secure (i.e., not prone to a man-in-the-middle attack).

Actually checksums have been used for years in order to ensure that a program has not been replaced with a malicious bit of code or modified in any way:

For instance, you want to make sure you haven't been hacked and ls hasn't been tampered with to hide the files? Have an checksum for it stored offsite and/or in a secure manner (encrypt it with a symmetric key and pray that key hasn't been compromised as well) and then compare with what pops up when you look at the file.

The idea is that if the file has changed at all, the checksum is going to be different.

Note though that in order for this to work the means by which you receive the checksum *must* be secure. They can be cleartext (such as in this case), but you must be able to confirm the source of the checksum is who you think it is.

Thus, it would be a poor way for the software update mechanism to operate (since the attacker could send a false checksum) but is okay for something like this.

Re:Other Problems with Software Update

[gerardrj]

The resume on failure is a problem
You can find all the successfully downloaded updates in "/Library/Receipts". You can double-click the packages in there to install the update, copy the update to another machine and install it, burn it to CD for later use, etc.

On the down side, Apple doesn't seem to advertise they they store all the update packages there, so some people can't figure out where all the HD space is going.

Re:Other Problems with Software Update

[mithras+the+prophet]

actually the packages in /Library/Receipts contain everything except for the actual payload. That is, they have the Readme, install information, file list, etc., but not the actual files. That's why they're called "Receipts".

For example, the very large (400MB+) developer tools package has a receipt of size 616k.

In order to save the package to install later or on other machines, you have to select Update:Save Update before you click the "Install" button in Software Update.

HOWTO report security problems to Apple

[aelvin]

If you need to report a security problem to Apple, there are instructions on the Apple Product Security page.

It boils to an email to product-security@apple.com. Encrypt sensitive information using Apple's product security PGP key, key ID 0x44E85F68, fingerprint AE43 8996 9250 78A6 D587 3CA8 2165 60D7 44E8 5F68.

Although PGP for Mac OS X is sadly still in suspended animation, others have mentioned the availability of MacGPG and related tools, which are perfectly suitable for PGP, including rudimentary integration with Mail.app.

software update CLI tool

[flamingnight]

Well, softare update is now available from the CLI:
Welcome to Darwin!
[jupiter:~] root# softwareupdate
Software Update Tool
Copyright 2002 Apple Computer, Inc.

Your software is up to date.

[jupiter:~] root#
Also, the man page for software update says you can install (a) specific update(s) by name, by softwareupdate [item ...]
Interestingly, it must be run as root, though Software Update via System Preferences only requires an Administrator's password -- this could just be because it sudo's, as an admin *can* sudo... Also, it was written (the CLI tool, or at least the man page) on May 2, 2002.

softwareupdate

One cool new thing in the Software Update Security Update... it adds a file to /usr/sbin/ called softwareupdate. Looks like darwin users may soon be able to keep upt odate as well