[ISN] Hacker to Apple: Watch those downloads

From: InfoSec News (isnat_private)
Date: Tue Jul 09 2002 - 05:03:59 PDT

  • Next message: InfoSec News: "[ISN] Show us the bugs - users want full disclosure"

    By Matt Loney 
    Special to CNET News.com
    July 8, 2002, 4:10 PM PT
    A security mailing list has alerted Apple Computer OS X users to a
    program that could let a hacker piggyback malicious code on downloads
    from the company's SoftwareUpdate service.
    According to the BugTraq mailing list, a hacker named Russell Harding
    has posted full instructions online for how to fool Apple's
    SoftwareUpdate feature to allowing a hacker to install a backdoor on
    any Mac running OS X.
    The exploit takes advantage of SoftwareUpdate, Apple's software
    updating mechanism in OS X, which checks weekly for new updates from
    the company. According to Harding, who claims to have discovered the
    exploit, the feature downloads updates over the Web with no
    authentication and installs them on a system. So far, there are no
    patches available for this problem.
    "Apple takes all security notifications seriously and is actively
    investigating this report," a company representative said.
    Harding stressed that the exploit is a simple one if using several
    well-known techniques, including domain-name service (DNS) spoofing
    and DNS cache poisoning.
    DNS spoofing is an attack where an individual seeks out a numerical IP
    (Internet Protocol) address (for example, corresponding to a
    specific Internet address (for example, www.cnet.com), but an
    attacker's computer intercepts the request. The attacker then sends
    back a false IP address that corresponds to a hostile server.
    DNS cache poisoning has similar results, but instead of intercepting a
    request for an IP address, the attacker uses a variety of techniques
    to replace the valid address in an official DNS server with an address
    pointing to the attacker's computer.
    When SoftwareUpdate runs normally, a person's computer connects via
    HTTP to an Apple.com page and sends a simple request for an XML
    document containing the latest inventory of OS X software. The
    Apple.com site returns the document, which the person's computer then
    cross-checks against what it has installed.
    After the check, OS X sends a list of software that needs to be
    updated to another page on Apple.com. If an update for the software is
    available, the SoftwareUpdate server responds with the location of the
    software, its size, and a brief description. If not, the server sends
    a blank page with the information, "No Updates."
    On his Web site, Harding provides two programs that he says have been
    customized for carrying such an attack. One program listens for DNS
    queries for updates, and when it receives them replies with spoofed
    packets rerouting them to the attacker's computer.
    The second program, which is downloaded onto a victim's Mac and
    masquerades as a security update, contains a copy of the encrypted
    communications program, Secure Shell.
    Automatic updates of software--particularly operating system
    software--is a growing trend. Several Linux companies offer this
    feature for their distributions of the open-source operating system,
    and Microsoft recently launched a similar service called Microsoft
    Software Update Services.
    ZDNet U.K.'s Matt Loney reported from London. News.com's Robert Lemos
    contributed to this report.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 08:10:48 PDT