Apple has been using an automated system to update users computers on Mac OS X since the software was first released over a year ago. According to the
Bug Traq Security list, Mac OS X’s implementation of the Software Update is vulnerable to attack.
According to the list, HTTP is used with no authentication when running the Software Update application. “Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple,” according to the site.
Apparently an exploit for this vulnerability has been released to the public for what Bug Traq says is “testing purposes.” The exploit is being distributed as a Mac OS X package, which includes DNS and ARP spoofing software. The package also includes the cgi scripts, and apache configuration files required to impersonate the Apple Software Update Server.
“The exploit is done by tricking a DNS server into thinking that Apple’s update server is in fact a different IP address — that server can then provide the bad app to download,” Scott Anguish of
told MacCentral. “This is not a new trick, it’s a well-known issue, and can be done with anything that connects on the net that doesn’t have an authority system (like public/private key authentication).”
Of course, you don’t have to check for updates automatically, but setting Software Update to check manually doesn’t protect you. “You’ll click ‘Update now’ and the bad application could still be downloaded,” said Anguish. “The malicious user would need to make sure that the update just looked legitimate … not hard at all.”
While the exploit data focused on Mac OS X, John C. Welch, a Networking Columnist with
Workingmac.com, said Mac OS 9 is also vulnerable. “I did a packet trace on the Mac OS 9 version, and it had the same issues. No encryption, no authentication. As long as the server gives the right answers, it’s going to download and install. All you have to do is hijack it and install an FBA or a malicious AppleScript, and a Mac OS 9 box is just as vulnerable.
In order to fix the problem, Anguish said Apple has to do a couple of things:
Use an SSL Certificate so that it is possible to verify that the Web-server that Software Update is downloading from is Apple’s
Start signing their downloads with a public/private encryption key pair, so that Software Update or the Installer can verify that it is the package posted by Apple.
An Apple spokesperson contacted for this report said, “Apple takes all security notifications seriously and is actively investigating this report.”