Free Republic
Browse · Search		 General/Chat
Topics · Post Article

Skip to comments.

Mac OS X Software Update security issue uncovered
MacCentral ^ | July 8, 2002 8:05 pm ET | Jim Dalrymple

Posted on 07/08/2002 8:31:27 PM PDT by HAL9000

Apple has been using an automated system to update users' computers on Mac OS X since the software was first released over a year ago. According to the Bug Traq Security list, Mac OS X's implementation of the Software Update is vulnerable to attack.

According to the list, HTTP is used with no authentication when running the Software Update application. "Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple," according to the site.

Apparently an exploit for this vulnerability has been released to the public for what Bug Traq says is "testing purposes." The exploit is being distributed as a Mac OS X package, which includes DNS and ARP spoofing software. the package also includes the cgi scripts, and apache configuration files required to impersonate the Apple Software Update Server.

There was no mention of the Mac OS 9 implementation of Software Update.

An Apple spokesperson contacted this evening about this report said, "Apple takes all security notifications seriously and is actively investigating this report."


TOPICS: Computers/Internet
KEYWORDS: macosx; security
The article doesn't say if anyone has actually been affected by this exploit, but to be on the safe side, Apple ought to figure out a way to authenticate software updates.
1 posted on 07/08/2002 8:31:27 PM PDT by HAL9000
[ Post Reply | Private Reply | View Replies]
To: HAL9000
The article doesn't say if anyone has actually been affected by this exploit, but to be on the safe side, Apple ought to figure out a way to authenticate software updates.

There are ways to do this, unfortunately the software is illegal in the United States.

2 posted on 07/08/2002 9:17:28 PM PDT by altair
[ Post Reply | Private Reply | To 1 | View Replies]
To: altair
I think a digital certificate derived from Apple's IP address would be legal enough.
3 posted on 07/08/2002 9:37:40 PM PDT by HAL9000
[ Post Reply | Private Reply | To 2 | View Replies]
To: HAL9000
Without strong encryption software, they're helpless. The article says

The exploit is being distributed as a Mac OS X package, which includes DNS and ARP spoofing software.

With untrustworthy DNS and ARP, you're essentially clueless about the identity of anyone. DNS maps host names to IP numbers, ARP maps ethernet card IDs to IP numbers. A digital certificate doesn't do any good without a strong means of protecting it.

4 posted on 07/08/2002 9:59:17 PM PDT by altair
[ Post Reply | Private Reply | To 3 | View Replies]
To: HAL9000
"Apple ought to figure out a way to authenticate software updates."

This is exactly the way that Microsoft does it, ie. with digital authentication.

I never trusted the software update program so I have mine set to manual and never use it. I direct download from Apple. Of course some hacker could spoof the main apple.com but there is a much smaller chance of that happening.

Regardless apple should of used digital authentication from the beginning like Microsoft.

This could reek havoc on a local LAN. Mac world is coming up and like always, every one is going to be checking for updates during the show.

5 posted on 07/09/2002 6:37:28 AM PDT by avg_freeper
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search		 General/Chat
Topics · Post Article
FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson