Posted on 08/21/2005 5:35:07 PM PDT by bizzyblog
No, For-q, that is where you are wrong... if that were the case, there would be no need for the "victim software package" to change the System files.
This is just not a case of a spoofed server on the network as the DHCP vulnerability was... it requires a change in ROOT level system files to force the victim machine to connect to the spoofed server instead of the secure Apple server.
Did you even read the link? Here's a snippet from the web page describing the exploit. Any further denials on your part will need to go ignored as you obviously haven't read the site or don't understand it and I can't explain it any better than I have already done numerous times.
Maybe one of your Mac buddies will say it so you can understand. Or ask someone else that has participated on this thread to explain it to you.
Normal Operation:
When SoftwareUpdate runs (weekly by default), it connects via HTTP to swscan.apple.com and sends a simple "GET" request for /scanningpoints/ scanningpointX.xml. This returns a list of software and current versions for OS X to check. After the check, OS X sends a list of it's currently installed software to /WebObjects/SoftwareUpdatesServer at swquery.apple.com via a HTTP POST. If new software is available, the SoftwareUpdatesServer responds with the location of the software, size, and a brief description. If not, the server sends a blank page with the comment "No Updates"
Impersonating the Server:
As you can see, with no authentication, it is trivial to impersonate the Apple servers. The software provides two programs useful in impersonating the server, arpspoof and dnsspoof. Dnsspoof, written by Dug Song, has been customized for carrying out this attack. To run it, simply open up the terminal, and type "sudo dnsspoof &" It will begin listening for DNS queries for swscan/swquery.apple.com. when it recieves them, it will reply with spoofed packets re-routing them to your computer. Arpspoof is needed for carrying out this attack on a switched network. For usage, and information on arp spoofing read Sean Whalen's Introduction to ARP Spoofing.
The main issue I'm having a hard time explaining is that nothing has to be installed to execute this exploit. The only thing required is for the user to launch the apple updates (which can automagically happen). The user will think he's installing an approved update.
Regardless of this vulnerability, the point should be made that OSX is based on open source programing, This and several other vulnerabilities were discovered by people who work on open source programing to improve it. That is what Russell was doing. He found a vulnerability, notified Apple, and it was closed very shortly thereafter by requiring authentication from the server.
At worst, this was an unexploited spoofed server vulnerability... exactly the same type attack that brought down Microsoft's update websites for several days to be security hardened about two years ago. This is a minor blip in the open source development process that results in safer, more secure code.
Apple did something stupid with their automatic downloading of Widgets in OSX.4.0 (thie boo-boo merely automatically downloaded new Widgets to the Widget directory of the Library... still couldn't install them, the user still had to do that)... which they quickly fixed in less than five days after 4.0's release in OSX.4.1. I personally found, reported and was credited for finding a security hole in Tiger's initial release that was also fixed in OSX.4.1 having to do with Spotlight's search routines returning hits in other user's supposedly secure files. None of this has been hidden because it is open source.
In my first reply to this thread I pointed out that we Mac users are aware one should not update the OS until at least the .1 revision of any major release, yet you claimed I have been touting Apple's "perfection". I suggest you re-read everyone of my comments and see if I, anywhere, even suggested that... you won't find it.
You've claimed that I have said a virus is "impossible" but you won't find that statement from me anywhere on this thread or on FreeRepublic, because I never said it. Instead I told you that on a scale of 1 to 10, writing a Mac virus is a 9... that is not impossible, just very difficult. Experts in the field have pointed out that it takes a much higher degree of sophistication to write a virus for any flavor of Unix than it does for Windows. This is published opinions of people who would be qualified to testify in court as expert witnesses, not just my unsupported opinion.
According to the first paragraph in the article - "This problem has been addressed in Security Update 7-18-02. Security Update 7-18-02 delivers a more secure Software Update service, as well as an updated Software Update command line tool, to verify that future updates originate from Apple."
Mac Software Updates have been cryptographically signed for over three years. There are zero reports of anyone in the real world being affected by the vulnerability during its brief existence.
It is a dangerous exploit, but one that can only theoretically be turned into a virus. If one existed, a user wouldn't have to allow any unusual programs to run (it slides in with the user approving an update), so I'd call it a virus. But even then the spread of the virus would be limited to the local network. It would require another breach of network security and individual attacker effort to be put on any other network.
In any case, if I'd thought of it, under my list of possible bet terms I'd have put "Scope of replicability: Internet-wide," which would have disqualified this as a virus according to the bet.
Of course, we're all talking theoretical. It hasn't been done and isn't in the wild, thus proving Swordmaker's point.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.