Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Plugs Software Update Hole

Posted by CmdrTaco on from the plugging-the-holes dept.

hype7 writes "Apple's getting quick! Less than 5 days after the recently reported software update vulnerability was discovered, Apple have a patch plugging the hole. Apparently, packages now presented via the Software Update mechanism are cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing any new packages."

11 of 181 comments (clear)

  1. Actually, it's only half-fixed... by imac.usr · · Score: 5, Insightful
    ...that is, until this is backported to OS 9.

    True, Apple has said that OS 9 is dead, but there's a hell of a lot of installations out there, and they all use an insecure Software Update mechanism as well. Apple needs to do the right thing and fix it for those who haven't upgraded because they can't (like those with hardware whose drivers haven't been updated yet), and to prevent Classic from becoming its own security hole.

    --
    I use Macs for work, Linux for education, and Windows for cardplaying.
    1. Re:Actually, it's only half-fixed... by discstickers · · Score: 2, Insightful

      I don't think most OS 9 users are worried about getting rooted by script kiddies.

      --
      I have a shitty sig!
  2. Good turnaround Apple by PierceLabs · · Score: 3, Insightful

    Apple has been really taking security seriously lately and this only helps to build confidence that the machine is capable of being used by more novice users who know nothing about the evils of being rooted.

  3. Funny by Anonymous Coward · · Score: 1, Insightful

    Slashdot is funny. When Microsoft announces a patch for Windows two days after a security hole is found, they get bashed for publishing insecure software.

    When Apple fixes a hole five days after acknowledging it, they're praised for being so quick to patch it.

    1. Re:Funny by jamie · · Score: 5, Insightful
      "When Microsoft announces a patch for Windows two days after a security hole is found, they get bashed for publishing insecure software. When Apple fixes a hole five days after acknowledging it, they're praised for being so quick to patch it."

      The situation is not quite comparable...

      The last n Microsoft security holes that I've seen have been discovered by security groups which reported them privately to Microsoft, and worked with Microsoft for typically a month or two to get the patch out. Then the vulnerability was announced the same day as the patch release. A few days or weeks later, an exploit for the vulnerability was posted someplace reasonably mainstream.

      Not so here. The Apple vulnerability was just posted to bugtraq along with an exploit. No indication was made that any attempt to contact Apple was made, much less working privately with Apple while the problem was resolved.

      http://www.cunap.com/~hardingr/projects/osx/exploi t.html

      http://online.securityfocus.com/archive/1/280964

      Also this wasn't the worst vulnerability ever found. If someone poisons your DNS server they really can do all manner of bad things to you; Software Update is (was) just one of many concerns you should have. Keep your DNS servers secure!

  4. Re:How does SU now check signatures? by sjehay · · Score: 2, Insightful

    As I understand it, it's not just using checksums, which I agree could still be open to attack. It's requiring all the packages it installs to be cryptographically signed - i.e. Apple must sign all packages they release with THEIR private key and the Software Update client has a copy of Apple's public key in order to be able to verify the signatures. If the signature can't be verified, it won't install the package - i.e. for a malicious third party to be able to install something on a user's machine via Software Update not only would he have to DNS spoof as before but he would also have to obtain Apple's private key from somewhere, which I would hope/expect is fairly difficult. This is the same practise as RH, Ximian et al. use...

  5. Re:check the authenticity of this update too by fermion · · Score: 3, Insightful
    Is either of these really secure? A checksum is to be used to make sure the download worked, not to make sure the file has not been replaced my malicious code. And can't a secure page and DNS can be forged? A certificate can be checked, but who does?

    Am I wrong?

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  6. Re:Not a solution, just requires a different attac by gfilion · · Score: 3, Insightful

    A hacker now just has to do some more work. Instead of just the DNS misdirection, they now need to create a checksum for their bad/malicious code. The updater will query their fake update server for the now forged checksum and see it matches the fake update package that was retrieved from the same hacked up server.

    Ever heared about public key cryptography? They sign their packages with their private key, and their public key is hard coded in the software. It's not just a checksum, it's a cryptographically signed checksum. It's pretty safe.

    To sign a checksum for his bad code, the attacker needs to crack Apple's private key. Which can take a few weeks if you're the NSA, but a few hundreds years if you're anyone else.

  7. Re:Not a solution, just requires a different attac by Anonymous Coward · · Score: 3, Insightful
    For someone to steal a single private key is rather trivial. Getting enough CPU together to brute force the private key is relatively simple, especially for a hacker that has compromised many systems and can easily install a distributed key generator on all of them. As was seen by several recent worms/viruses it would be possible to install such a client of literally tens of thousands of systems. Since you can have both encrypted and decrypted versions of the protected information, checking for a good key is easy.

    You mean lets say they took over distributed.net and had around 28,149 (or more, since this was the active number of participants in rc5-64 yesterday, who could have multiple machines) machines trying to crack said keys. Lets see, they have been working on rc5-64 for 5 years now... Putting in some estimation for moore's law, lets say it would take 2 years starting now. So lets get it done in a 3 months period then we need 8 times as many machines. That means at least 160,000 compromised machines all contacting unknown network addresses over three months. If that is not noticed, that is one hell of a hacker. And thats assuming that Apple used something with an outdated keyspace thats only about as large as rc5-64.

    In other words, yeah, it might not be the safest option out there. But its safe enough for me.

  8. Linux is Funnier by feldsteins · · Score: 2, Insightful

    The real truth of the matter is that it's not Apple who gets a free ride here at Slashdot - it's Linux. Usually when a Linux distro is patched/updated the story on the front page ( and it's always on the front page) usually includes the word "drool" and at least one exclamation point. Apple takes their lumps here same as Microsoft. Worse in many ways because more than half the people here are at least dual-booting a MS OS. Almost none are using an Apple one. But when do the Linux guys get criticised here? About anything?

    And just for the record.

    --
    You like your Macintosh better than me, don't you Dave? Dave? Can you hear me Dave?
  9. Note by theolein · · Score: 5, Insightful

    I appreciate, even though it is probably coincidental, that Apple did NOT attack the press for reporting this hole before they had a chance to plug it. It has been a reasonably quick, mature response. Unlike another company that we all know that seems incapable of fixing holes without having a go at all "enemies" on the side.