Hacker to Apple: Watch those downloads

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-942265.html?tag=fd_top

By Matt Loney 
Special to CNET News.com
July 8, 2002, 4:10 PM PT

A security mailing list has alerted Apple Computer OS X users to a
program that could let a hacker piggyback malicious code on downloads
from the company's SoftwareUpdate service.

According to the BugTraq mailing list, a hacker named Russell Harding
has posted full instructions online for how to fool Apple's
SoftwareUpdate feature to allowing a hacker to install a backdoor on
any Mac running OS X.

The exploit takes advantage of SoftwareUpdate, Apple's software
updating mechanism in OS X, which checks weekly for new updates from
the company. According to Harding, who claims to have discovered the
exploit, the feature downloads updates over the Web with no
authentication and installs them on a system. So far, there are no
patches available for this problem.

"Apple takes all security notifications seriously and is actively
investigating this report," a company representative said.

Harding stressed that the exploit is a simple one if using several
well-known techniques, including domain-name service (DNS) spoofing
and DNS cache poisoning.

DNS spoofing is an attack where an individual seeks out a numerical IP
(Internet Protocol) address (for example, 1.2.3.4) corresponding to a
specific Internet address (for example, www.cnet.com), but an
attacker's computer intercepts the request. The attacker then sends
back a false IP address that corresponds to a hostile server.

DNS cache poisoning has similar results, but instead of intercepting a
request for an IP address, the attacker uses a variety of techniques
to replace the valid address in an official DNS server with an address
pointing to the attacker's computer.

When SoftwareUpdate runs normally, a person's computer connects via
HTTP to an Apple.com page and sends a simple request for an XML
document containing the latest inventory of OS X software. The
Apple.com site returns the document, which the person's computer then
cross-checks against what it has installed.

After the check, OS X sends a list of software that needs to be
updated to another page on Apple.com. If an update for the software is
available, the SoftwareUpdate server responds with the location of the
software, its size, and a brief description. If not, the server sends
a blank page with the information, "No Updates."

On his Web site, Harding provides two programs that he says have been
customized for carrying such an attack. One program listens for DNS
queries for updates, and when it receives them replies with spoofed
packets rerouting them to the attacker's computer.

The second program, which is downloaded onto a victim's Mac and
masquerades as a security update, contains a copy of the encrypted
communications program, Secure Shell.

Automatic updates of software--particularly operating system
software--is a growing trend. Several Linux companies offer this
feature for their distributions of the open-source operating system,
and Microsoft recently launched a similar service called Microsoft
Software Update Services.

ZDNet U.K.'s Matt Loney reported from London. News.com's Robert Lemos
contributed to this report.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.