Hacker to Apple: Watch those downloads

Hacker to Apple: Watch those downloads

A security mailing list has alerted Apple Computer OS X users to a program that could let a hacker piggyback malicious code on downloads from the company's SoftwareUpdate service. According to the BugTraq mailing list, a hacker named Russell Harding has posted full instructions online for how to fool Apple's SoftwareUpdate feature to allowing a hacker to install a backdoor on any Mac running OS X.

The exploit takes advantage of SoftwareUpdate, Apple's software updating mechanism in OS X, which checks weekly for new updates from the company. According to Harding, who claims to have discovered the exploit, the feature downloads updates over the Web with no authentication and installs them on a system. So far, there are no patches available for this problem.

"Apple takes all security notifications seriously and is actively investigating this report," a company representative said.

Harding stressed that the exploit is a simple one if using several well-known techniques, including domain-name service (DNS) spoofing and DNS cache poisoning.

DNS spoofing is an attack where an individual seeks out a numerical IP (Internet Protocol) address (for example, 1.2.3.4) corresponding to a specific Internet address (for example, www.cnet.com), but an attacker's computer intercepts the request. The attacker then sends back a false IP address that corresponds to a hostile server.

DNS cache poisoning has similar results, but instead of intercepting a request for an IP address, the attacker uses a variety of techniques to replace the valid address in an official DNS server with an address pointing to the attacker's computer.

When SoftwareUpdate runs normally, a person's computer connects via HTTP to an Apple.com page and sends a simple request for an XML document containing the latest inventory of OS X software. The Apple.com site returns the document, which the person's computer then cross-checks against what it has installed.

After the check, OS X sends a list of software that needs to be updated to another page on Apple.com. If an update for the software is available, the SoftwareUpdate server responds with the location of the software, its size, and a brief description. If not, the server sends a blank page with the information, "No Updates."

On his Web site, Harding provides two programs that he says have been customized for carrying such an attack. One program listens for DNS queries for updates, and when it receives them replies with spoofed packets rerouting them to the attacker's computer.

The second program, which is downloaded onto a victim's Mac and masquerades as a security update, contains a copy of the encrypted communications program, Secure Shell.

Automatic updates of software--particularly operating system software--is a growing trend. Several Linux companies offer this feature for their distributions of the open-source operating system, and Microsoft recently launched a similar service called Microsoft Software Update Services.

Yawn.

Apple's already fixed it. I work for a company that provides a software updater, but unlike Apple, they've been doing the data encryption route since day 1. Not all software companies do it the Apple way. So Apple made an oversight. Apple fixed it. Whoop-de-doo. That response time is still 1000% faster than any security bug in Microsoft's crap. I gave up on M$ and returned to the Mac. Used to be a test engineer for NASA -I know how to test and write reports. M$ always ignored me. Apple never does. M$ just shoves their crap out the door and ignores the fatal flaws. Some people like that. Me, not only do I expect it to work, I expect the bugs to fixed in a timely manner. Never saw that with M$.

Are Mac users smarter?

By Ian Fried
Staff Writer, CNET News.com
July 12, 2002, 2:05 PM PT

update Those who surf the Web using a Mac tend to be better educated and make more money than their PC-using counterparts, according to a report from Nielsen/NetRatings.

The study also said Mac users tend to be more Web savvy, with more than half having been online for at least five years. And the Mac faithful are 58 percent more likely than the overall online population to build their own Web page and also slightly more likely to buy goods online, according to the report.

"With above-average household income and education levels, the Mac population presents a very attractive target for marketers, both online and offline," the research group said.

TS Kelly, director and principal analyst at NetRatings, said that his company decided to publish the study after noticing the differences between the demographics of Mac owners compared with overall PC owners. Kelly said Apple Computer is a client, but he said Apple did not commission the study nor was it made aware of the results prior to the report's publication.

Kelly said the greater affluence and education level of those who surf using a Mac is attributable in part to the company's comparatively pricier machines, as well as to their perception as a status symbol and their greater market share among those in the publishing and design industries.

"Any time you lower a price point you always see a broadening of the audience that is probable to buy it," Kelly said.

"Apple customers may be educated, but our customers are smart enough to have chosen Gateway, which offers the best value," said Brad Williams, a spokesman for the PC maker.

Apple has been aggressively targeting PC owners in its latest ad campaign.

Although Apple sales typically represent less than 5 percent of the overall U.S. personal computer market, 8.2 percent of Americans who surf the Web at home do so using a Mac, according to the study. Nearly all the rest of those who go online--89.4 percent--do so using a Windows-based PC.

Nielsen/NetRatings said that 70.2 percent of Mac users online have a college degree, compared with 54.2 percent of all Web surfers. That, combined with their longer surfing histories and their greater willingness to buy products via the Web, makes Mac consumers a prime catch for marketers, Kelly said.

"In many cases that is a market advertisers are looking at when they are promoting new products or upscale products," Kelly said.

A representative for PC maker Dell noted that it doesn't seem to be lacking for customers and that half of those customers buy their PCs over the Web--a sign that Windows users are also adept online.

The study notes that although there are clear benefits to marketing to Mac owners, it can be tough to target them specifically.

Once upon a time, marketers could target personal computer users as a whole to reach a more-educated, higher-income base, however the demographics of those with a personal computer have become more similar to the demographics of the overall population as personal computer penetration has grown. Kelly said advertisers can still reach upscale crowds in other ways, such as targeting those who have a broadband connection.

Is Mac OS X worth upgrading to?

It really is up to you. It all depends on what you like to do with your computer. If you are content and it meets your needs, that's great! I really like OS X and love using the new iApplications: iPhoto, iMovie, iTunes, etc. iPhoto especially is wonderful as I've starting doing more digital photography - it makes organizing, editing and sharing your pictures (printing, posting on the web, emailing, etc.) a snap. I went to a friend's wedding a few weeks ago and took a bunch of pictures and then made a slide show and burned it on a CD for her with one of her favorite songs playing in the background. It took less than 15 minutes from the time I plugged in the camera to the iMac and the finished CD came out of the tray.

She loved it.

Cheers, CC :)

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.