Apple fixes downloads vulnerability
Apple has released a patch for a glaring security hole in its software update system, which made it a trivial matter to install a back door into any Mac running OS X, according to security experts.
On Friday the company released an upgrade to its Software Update for Mac OS X that introduces an authentication process for the automatic download system. Last week, hacker Russell Harding, who claimed to have discovered the exploit, made available two programs that he said had been customised to carry out an attack via Software Update.
Apple's download is available to systems running Mac OS X 10.1 or later, via the Software Update system itself or Apple's Web site. The secure Web page includes optional instructions for verifying that the package is authentic -- which some hackers said they preferred, given the nature of the security glitch.
"Packages presented via the Software Update mechanism are now cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing new packages," Apple said on the site. "Downloaded packages which do not contain a valid signature are deleted from the system."
According to Harding, versions 1.4.5 and earlier of Software Update downloads updates over the HTTP protocol with no authentication, and installs them as root on the system.
It is a simple matter, according to Harding, to use any one of several well-known techniques to trick a user into installing a malicious program posing as an update from Apple. Such techniques include DNS spoofing and DNS Cache Poisoning.
When a previous version of Software Update runs, it connects via HTTP to an Apple.com page and sends a simple request for an XML document, which returns a list of software and current versions for OS X to check, according to Harding. After the check, OS X sends a list of its currently installed software to another page on Apple.com. If new software is available, the Software Updates Server responds with the location of the software, size, and a brief description. If not, the server sends a blank page with the comment "No Updates".
Harding made available two programs that he said were been customised for carrying out this attack. One program listens for DNS queries for updates, and when it receives them replies with spoofed packets re-routing them to the attacker's computer.
The second program, which is downloaded onto the victim's Mac masquerading as a security update, in fact contains a "back-doored" copy of the Secure Shell Server Daemon, sshd. "This version of sshd includes all the functions of the stock sshd," wrote Harding, "except the following: You can log in to any account on the system with the secret password 'URhacked!'. After logging in through this method, no logging of the connection is employed. In fact, you do not show up in the list of current users!"
Automatic updates of software -- particularly operating system software -- is a growing trend. Several Linux companies offer this feature for their distributions of the open-source operating system, and Microsoft recently launched a similar service called Microsoft Software Update Services.
Matt Loney contributed to this report.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.