toggle

AAPL Stock: 441.35 ( + 1.69 )

http://www.macnn.com/articles/02/07/09/security.issue/

Security issue with Apple's software update

updated 07:55 am EDT, Tue July 9, 2002

 
", 0, 0);


German magazine c't reports on a vulnerability [German], called PhantomUpdate, in Apple's software update mechanism, which exploits an unauthenticated login and download system to install an application that would allow any hacker access to a user's computer via the installation of a malicious software masquerading as a legitmate update. Mac OS X-customized versions of the commonly available DNS spoofing tools are available online to demonstrate the security vulnerability.


by MacNN Staff

Post tools:

TAGS :

 troubleshooting

Related Articles

Recent Articles

toggle

Comments

  1. gsciorio

    Junior Member

    Joined: Sep 2000

    0
    07/09, 11:16am | report spam | Reply |

    Now this is more like it

    I'm a windows convert (Oct'01) and was just starting to miss all the windows security issues.

    Now I feel at home! :-0

    g

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    07/09, 11:32am | report spam | Reply |

    Now this is more like it

    First off Welcome to Mac!! Second, I think this is being blown up by the tech press, because some hacker found a 'possible' way in! I won't be loosing any sleep over this!

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    07/09, 11:44am | report spam | Reply |

    Manual Update

    Just use manual updating and this won't be a problem. Then you see what your system is installing, anyway.

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    07/09, 12:00pm | report spam | Reply |

    No issue

    MOst Mac users are not worried about this, because they do not have Automatic Updating enabled. Just select manual updating, as mentioned above and you will be just fine. Apple will probably address this in the near future since the press has been giving them a hard time over this...the person who wrote this must be a big fan of Uncle Bill.

  1. gsfprez

    Fresh-Faced Recruit

    Joined: Oct 1999

    0
    07/09, 12:19pm | report spam | Reply |

    No different than others

    all software update mechanisms are suseptable to this kind of "attack". h***, the windows update is even worse because it would be easier to sneak in a Outlook client virus to change the endpoint of Windows Update.

    but i would concurr that there would be good karma in some kind of challenge/responce between the servers to verify that it is indeed the Apple server, and not a rogue server.

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    07/09, 12:33pm | report spam | Reply |

    How will manual update he

    Just use manual updating and this won't be a problem. Then you see what your system is installing, anyway.

    No, you see what the package claims to be. So the attacker can have the update claim to be "Apple security Update 3", or "iPhoto 1.2".

    all software update mechanisms are suseptable to this kind of "attack".

    No they are not. One can use something like an RSA signature so the client machine (your Mac) can verify that the sender is really Apple, Inc. You only get the public key, not the private, and there is no known way to make the other half of the key (except for a brute force attack that takes way too long). If you don't believe that, you also don't believe that SSH and SSL (HTTPS) works.

    On windows it isn't a big deal because there is so much wrong with the security that one more hole in the shattered wall won't matter. On OSX it kind of sucks because there is likely to be only 3 or four ways in...or maybe only even one. So people looking at deploying secure machines might be interested in the Xserve, as long as Apple can keep this kind of thing to a minimum (and no, the DNS exploit and SSH hole don't could too badly against Apple because every Unix vender had the SSH problem, and many had hte DNS problem)

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    07/09, 01:05pm | report spam | Reply |

    Not that big

    Even the automatic update does not install without user permission.

    System administrators that get bent out of shape over this should step back a bit and calm down - they are still in the loop, and unless they are complete idiots, they already read the information about every OS update at the vendor site before they install it. This should be true for X, Win, Linux, or Solaris.

    Thus, if they see a new update, they should then go to the Apple site and verify that it is indeed real - if nothing else, visiting sites like this one, you quickly find out whether an update has come out and people have applied it.

    Do remember that this hack does require an exploit to work first, at the DNS level or at the host machine level. Not impossible, but not nearly as critical as it has been presented.

    Scott

  1. rpkrajewski

    Joined:

    0
    07/09, 02:22pm | report spam | Reply | delete

    Two cents

    (1) Many Mac OS X installers do verify their contents, although I'm not sure if they use digital signatures to do so.

    (2) The scope of the attack is limited by how widely the attacker can spoof DNS requests.

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    07/09, 03:34pm | report spam | Reply |

    Apple's response?

    It will be interesting to see how quickly Apple responds to this security breach. Will a patch be up within a week's time? A month's time? Will we have to wait until Jaguar?

  1. MacNN.com Reader

    Fresh-Faced Recruit

    Joined: Jul 2001

    0
    07/09, 04:29pm | report spam | Reply |

    DNS

    DNS has always been the low point, even this is a bug for web browsers. This is not a flaw in the Software Update, but a flaw in DNS.

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

toggle

Most Commented

 

Popular News