Hacker to Apple: Watch those downloads
Saw this over at shortnews.com, anyone think it's valid?
-----
Hacker to Apple: Watch those downloads
According to the BugTraq mailing list, Russell Harding has posted full instructions online for how to fool Apple's SoftwareUpdate feature to allowing a hacker to install a backdoor on any Mac running OS X.\tÂ*
The exploit fools SoftwareUpdate which updates the OS X Mac Operationg system. The program downloads and installs the updates over the web without authentication.\tÂ*
There are no patches for this exploit as of yet, although a company representative stated that Apple is 'actively investigating' the report.
-----
-----
Hacker to Apple: Watch those downloads
According to the BugTraq mailing list, Russell Harding has posted full instructions online for how to fool Apple's SoftwareUpdate feature to allowing a hacker to install a backdoor on any Mac running OS X.\tÂ*
The exploit fools SoftwareUpdate which updates the OS X Mac Operationg system. The program downloads and installs the updates over the web without authentication.\tÂ*
There are no patches for this exploit as of yet, although a company representative stated that Apple is 'actively investigating' the report.
-----
Comments
That still amazes me about Apple. Just a couple months ago I switched my career from an ISP Network Admin to Graphic Artist. When I was an admin, the first thing I did every morning was updates. Anti-Virus, application, and of course OS. And you could pretty much guarantee that at least an hour of my day when to that as well as defragging and scan disking. Given, I didn't have to sit there for it to start, but as we all know the "occasional"
Now that I do graphic work, I use a Mac, of course. The first thing I do when I come to work now, is plug in my iBook, open the lid, and check my email. Boy thats tough.
Just to note, I still run a XP Pro box, and Win98 box at home. The Win98 box is for my 5 year old to play games on, and the XP box is my Internet Sharing and solitare server.
<<<
BTW, the software update server IS secure and the software only answers to THAT server.
<<<
Unfortunately, "only answers to THAT server" dosn't exist. Someone in control of a router between you and the server (network admin, ISP etc.) can easily direct all outgoing SoftwareUpdate traffic to some box of his own. This box inserts an Apple IP address into all returned packets.
<<<
Even if a very lucky booby managed to figure some such hack out... how does that threaten me? We run Norton Antivirus, we have NO sensitive data on the computer
<<<
I don't think it matters what you have installed or if you have any sensitive data on your computer. Apple doesn't sell a different OS to companies that have sensitive data on their systems.
thuh Freak:
<<<
doesn't software update require authentication before it installs anything?
<<<
He is talking about authentication of origin, not user authentication. SoftwareUpdate must be able to make sure that it's not accepting data from any other server than Apple's. Usually you would do this by including a public key into every copy of the updater software. Then a challenge mechanism would be used (The updater picks some random string, encrypts it with the public key and sends it to the server, the update server uses its private key to decrypt the message and sends the string back in plaintext. If the two strings match, it can be assumed that the server on the other side knows the private key and therefore is the official update server.)
<<<
Also, doesn't it only update existing programs (therefore requiring that some1 already acquired the `backdoor`)
<<<
I think SU can also install new files. Anyway, you wouldn't call your backdoor program "BACKDOOR.app". You'd call it iPhoto 1.1.2, request admin permissions and then install whatever you like.
123
[ 07-10-2002: Message edited by: 123 ]</p>
if not - how bad is this?
[quote]is this a hoax?
if not - how bad is this?<hr></blockquote>
It is not a hoax and it is potentially devastating. Apple f u c k e d up here big time - while our arch-enemy did much better with the windows update mechanism.
MIM (man in the middle) attacks can be carried out at any point between you and the Apple Server. You can also run the attack from a box that is in the same subnet as the victim's.
Not only does Russell describe how the attack is done, he also provides all neccessary tools on his homepage to carry it out. This is what makes it really serious.
123
Let's see... this would require a new version of Software Update which would check the signature after downloading an update but before installing it.
[ 07-10-2002: Message edited by: 123 ]</p>
<strong>I have always manually downloaded and installed all updates, and I don't see why apple couldn't post the updates on their site. I have never heard of anyone having a problem downloading files directly from apple's website. <img src="graemlins/oyvey.gif" border="0" alt="[No]" /> This "software update" program is slow, and unnecessary. Netscape is fine for me. (and more reliable.)</strong><hr></blockquote>
don't agree and haven't experienced a word you said
<strong>I have always manually downloaded and installed all updates, and I don't see why apple couldn't post the updates on their site. I have never heard of anyone having a problem downloading files directly from apple's website. <img src="graemlins/oyvey.gif" border="0" alt="[No]" /> This "software update" program is slow, and unnecessary. Netscape is fine for me. (and more reliable.)</strong><hr></blockquote>
Actually I do mine manually as well, but you can go to the website and download them there as well. The software update is just a bit easier to get to for most folks.
[quote]I have always manually downloaded and installed all updates, and I don't see why apple couldn't post the updates on their site. <hr></blockquote>
They do offer the updates via ftp as well. However, the exploit mentioned above would work as well if you get your downloads via netscape. The only solution is digitally signing the files and having the installer check that signature.
<strong>Believe me, I'm quaking in my boots! Mean scary hacker gonna update my software with nasty stuff. Get real.</strong><hr></blockquote>
i'm not hysterical - i'm only conserned.
[quote](...)If a glitch exists, Apple will fix it.<hr></blockquote>
'think so too.
[quote]Windows update is NOT better. IT is slow, buggy etc. etc. etc.
does the m$ updater have the same problem or do they use other technology?
[QUOTE]I don't think I'm too worried about this...and like I said earlier...just TURN THE BLASTED THING OFF!<hr></blockquote>
yeah.
and jagwire is comming.
2. Just turn automatic update off 'till there's a fix and you'll be fine.
3. Windows is not better. there have already been one or two vulns in xp's auto update function reported so far, but they've been fixed by now. M$ makes shure these things are handled descreetly.
Don't run scared like little lemmings. That's what they want!
Software Update has always worked fine for me.
Just watch nothing will come of this. If it does it will finaly give NAV something to do.
<strong>This security flaw won't affect 99.99% of you guys. Only get scared if you have someone on your LAN likely to do this to you. Don't loose sleep.</strong><hr></blockquote>
Exactly, you have to be on the same subnet, not just upstream. This would be a tough one to do. If you are so worried, you can create a HOSTS file pointing directly to the IP address and not use your DNS servers to take you there.
For the really paranoid, just wait a few days and download them directly from apple's web site, provided no one has hacked it.