Potential security risk with Software Update

[bbloke]

I thought everyone should be informed that a potential security flaw has been found with the Software Update feature under OS X. I received a mail (from a security mailing list) which read as follows:



----------------------------------------------------------------------------
MacOS X SoftwareUpdate Vulnerability.
----------------------------------------------------------------------------

Date: July 6, 2002
Version: MacOS 10.1.X and possibly 10.0.X
Problem: MacOS X SoftwareUpdate connects to the SoftwareUpdate Server via
HTTP with no authentication, leaving it vulnerable to attack.

----------------------------------------------------------------------------

http://www.cunap.com/~hardingr/proje...x/exploit.html

----------------------------------------------------------------------------

Summary:

Mac OS X includes a software updating mechanism "SoftwareUpdate". Software update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple.


Impact:

Apple frequently releases updates, which are all installed as root. Exploiting this vulnerability can lead to root compromise on affected systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.


Solution/Patch/Workaround:

There is currently no patch available. Hopefully the release of this information will convince apple they need, at the very least, some basic authentication in SoftwareUpdate.


Exploit: http://www.cunap.com/~hardingr/proje...x/exploit.html

An exploit for this vulnerability has been released to the public for testing purposes. It is distributed as a Mac OS X package which includes DNS and ARP spoofing software. Also, it includes the cgi scripts, and apache configuration files required to impersonate the Apple SoftwareUpdatesServer.


Credits:

Author - Russell Harding - hardingr@cunap.com
Testing - Spectre Phlux, KrazyC, Devon, and The Wench



(end of mail)

I have informed Apple using the Mac OS X Feedback page, though I expect they would know of this issue already.

[scruffy]

I was half expecting something like this, and there it is...

Really Apple ought to authenticate both the connection, and the packages that are downloaded. They could just sign the packages with a pgp key or something, it would be so much safer.

[bbloke]

A subsequent E-Mail from the mailing list suggested the following:

1) the painfully obvious selection of manual checks via Software Update and then never actually selecting "Update Now" (i.e. never using Software Update... )

2) looking for updates on http://www.info.apple.com/support/downloads.html instead of using Software Update



I've also been in touch with Macintosh security sites (http://www.securemac.com and http://www.macintoshsecurity.com).

Apple is certainly aware of the problem; a MacCentral article claimed an Apple spokesman said:

"Apple takes all security notifications seriously and is actively investigating this report."

http://maccentral.macworld.com/news/0207/08.update.php

[bbloke]

Just to let everyone know both securemac.com and macintoshsecurity.com have published my comments (essentially the same as I posted on this site), so it might be worthwhile monitoring these sites to see if there are further developments regarding this issue. Securemac.com stated:

"SecureMac's View
This has been a known issue for quite some time, we received many emails notifing us of the method Apple uses for software updates. This is something Apple needs to address to verify the software which is being installed is from their server. Checksums would work fine for this method. Keep your computer physically secure, disable remote access and this will not be a issue for you."


It's a good idea, IMHO, to monitor security sites anyway. I get the impression OS X is fairly secure in its default configuration, so users shouldn't panic too much. However, users can always exercise additional caution by: not enabling remote access or file sharing, setting up the built-in firewall ("man ipfw" in the Terminal for more details and/or download and use "Brickhouse" or "Firewalk X" or something similar), and using encryption (such as ssh rather than telnet, scp or sftp rather than ftp, SSL for mail, and so on...).

[Nummi_G4]

Great. Jerks that did not think about this before, now know about it. Kinda similar to terrorists and the media. On the news, they talk about what areas of our defense weak. And I thinking to myself, "you idiots, you just told them where to hit us." Just ranting, sorry.

[Gregita]

Good work, bbloke.

It's nice to read something truly informative.

Thank you for posting it.

[nichrome]

You know what's really funny about this "security issue"? It also applies to any other HTTP download operation you might perform. It's not like Software Update is the only application of the HTTP protocol that can be spoofed. I was, like, "yes, and?" when they reported this. Of course, things could be better, but it's not like this will suddenly cause every package you see in the Software Update listing be trojans.

[bbloke]

Thanks for the compliment, Gregita.


Nummi_G4, I too had wondered about the possibility of actually exposing risks to others who might then take advantage. I discussed this with colleagues before posting, and we basicaly agreed that those people who are knowledgeable enough to try this sort of thing would probably know about it already! Furthermore, once a bug report has been made public (as it had been through other security sites and mailing lists before I mailed this group), any potential hackers will basically now know about the issue. Therefore, circulating the information quickly is the best way to protect the public, as those with malicious intent will already be one step ahead, rather than waiting for a random bug report to make its way to a general forum they might happen to read occasionally. If these security issues were kept quiet, I strongly feel hackers would actually be in a stronger position!

nichrome, I agree with you that other http downloads could be under threat and that it is also unlikely that Software Update is going to suddenly start downloading and installing trojans all over the place. However, the big difference between normal downloads and using Software Update is the trust involved. Instead of simply downloading a file, we are telling Software Update to look for new files, download them, and then install them on our behalves (as root if necessary). That is, a hacker could get Software Update to perform a potentially malicious operation malicious as root, which very different from only downloading a file and not going any further with it.