Hacker cracks Apple downloads

Full instructions are available on the Internet for how to fool Apple's SoftwareUpdate feature and install a backdoor on any Mac running OS X. Worse, there appears to be no patch

Apple Mac users could be unwittingly downloading and updating their systems with rogue code, according to the BugTraq security mailing list.

The exploit takes advantage of Apple's software updating mechanism in OS X, called SoftwareUpdate, which checks weekly for new updates from Apple. According to hacker Russell Harding, who claims to have discovered the exploit, the Mac OS X SoftwareUpdate feature downloads these updates over the HTTP protocol with no authentication, and installs them as root on the system.

It is a trivial matter, according to Harding, to use any one of several well-known techniques to trick a user into installing a malicious program posing as an update from Apple. Such techniques include DNS spoofing and DNS Cache Poisoning.

No patch is understood to be available -- a fact that will be compounded by the availability on the Internet of full instructions, together with the necessary applications.

When SoftwareUpdate runs, it connects via HTTP to an Apple.com page and sends a simple request for an xml document, which returns a list of software and current versions for OS X to check, according to Harding. After the check, OS X sends a list of its currently installed software to another page on Apple.com. If new software is available, the SoftwareUpdatesServer responds with the location of the software, size, and a brief description. If not, the server sends a blank page with the comment "No Updates".

"As you can see, with no authentication, it is trivial to impersonate the Apple servers," wrote Harding on his Web site. He provides two programs that he says have been customised for carrying out this attack. One program listens for DNS queries for updates, and when it receives them replies with spoofed packets re-routing them to the attacker's computer.

The second program, which is downloaded onto the victim's Mac masquerading as a security update, in fact contains a "back-doored" copy of the Secure Shell Server Daemon, sshd. "This version of sshd includes all the functions of the stock sshd," wrote Harding, "except the following: You can log in to any account on the system with the secret password 'URhacked!'. After logging in through this method, no logging of the connection is employed. In fact, you do not show up in the list of current users!"

Apple did not immediately respond to requests for comment.

Automatic updates of software -- particularly operating system software -- is a growing trend. Several Linux companies offer this feature for their distributions of the open-source operating system, and Microsoft recently launched a similar service called Microsoft Software Update Services.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.