Apple Plugs Software Update Hole

hype7 writes "Apple's getting quick! Less than 5 days after the recently reported software update vulnerability was discovered, Apple have a patch plugging the hole. Apparently, packages now presented via the Software Update mechanism are cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing any new packages."

Actually, it's only half-fixed...

[imac.usr]

...that is, until this is backported to OS 9.

True, Apple has said that OS 9 is dead, but there's a hell of a lot of installations out there, and they all use an insecure Software Update mechanism as well. Apple needs to do the right thing and fix it for those who haven't upgraded because they can't (like those with hardware whose drivers haven't been updated yet), and to prevent Classic from becoming its own security hole.

Re:Actually, it's only half-fixed...

[KFury]

and to prevent Classic from becoming its own security hole.

This wouldn't be a problem for the average user running OS X and classic, since the OS 9 version of software update wouldn't ever be launched. Only the Os X version would be activated regularly to check for updates.

True that until they patch the OS 9 version similarly there will be a lingering risk for people running OS 9 as their primary OS, but not for those using it in Classic mode.

check the authenticity of this update too

[Kevinv]

if you want to make sure this update is valid you can read the update info and verify the checksum

or for the extra paranoid, check the secure page

Re:check the authenticity of this update too

[thrig]

There was also a post to the security-announce list, signed with Apple's Product Security key, which you can verify with a live person if you really feel like it. The post contained the website notes, plus SHA1 checksum of the installer disk image. Given current security technology, Apple covered their bases quite well.

Re:Funny

[jamie]

"When Microsoft announces a patch for Windows two days after a security hole is found, they get bashed for publishing insecure software. When Apple fixes a hole five days after acknowledging it, they're praised for being so quick to patch it."

The situation is not quite comparable...

The last n Microsoft security holes that I've seen have been discovered by security groups which reported them privately to Microsoft, and worked with Microsoft for typically a month or two to get the patch out. Then the vulnerability was announced the same day as the patch release. A few days or weeks later, an exploit for the vulnerability was posted someplace reasonably mainstream.

Not so here. The Apple vulnerability was just posted to bugtraq along with an exploit. No indication was made that any attempt to contact Apple was made, much less working privately with Apple while the problem was resolved.

http://www.cunap.com/~hardingr/projects/osx/exploi t.html

http://online.securityfocus.com/archive/1/280964

Also this wasn't the worst vulnerability ever found. If someone poisons your DNS server they really can do all manner of bad things to you; Software Update is (was) just one of many concerns you should have. Keep your DNS servers secure!

Just checking (Re: Funny)

Do you ever use telnet? Ever?

Do you use insecure POP3?

If either of these things is true, your passwords are flying through unprotected space every time you do either one, and you have no sane reason to complain about apple leaving apple software update with this "hole" for so long. If someone has the ability to exploit the software update "hole" mentioned here, they also have the ability to eavesdrop on all the traffic-- including passwords-- that you create when you do telnet, insecure POP3, or a number of other things.

I'd say the hypocrisy here is that we're considering it a horrendous hole that an apple network application was susceptable to man-in-the-middle attacks, but we're not, as members of the internet community as a whole, looking for ways that we can implement things such as ssh tunnelling or s/wan on a massive scale so that man-in-the-middle attacks can be wiped out at the root of the problem instead of having to be implemented individually in every single application in the universe.

Not Quite

[Llywelyn]

Yes, so long as the means of communicating the checksum are secure (i.e., not prone to a man-in-the-middle attack).

Actually checksums have been used for years in order to ensure that a program has not been replaced with a malicious bit of code or modified in any way:

For instance, you want to make sure you haven't been hacked and ls hasn't been tampered with to hide the files? Have an checksum for it stored offsite and/or in a secure manner (encrypt it with a symmetric key and pray that key hasn't been compromised as well) and then compare with what pops up when you look at the file.

The idea is that if the file has changed at all, the checksum is going to be different.

Note though that in order for this to work the means by which you receive the checksum *must* be secure. They can be cleartext (such as in this case), but you must be able to confirm the source of the checksum is who you think it is.

Thus, it would be a poor way for the software update mechanism to operate (since the attacker could send a false checksum) but is okay for something like this.

Note

[theolein]

I appreciate, even though it is probably coincidental, that Apple did NOT attack the press for reporting this hole before they had a chance to plug it. It has been a reasonably quick, mature response. Unlike another company that we all know that seems incapable of fixing holes without having a go at all "enemies" on the side.