|
Apple Plugs Software Update Hole
|
Log in/Create an Account
| Top
| 134 comments
|
Search Discussion
|
|
|
|
The Fine Print:
The following comments are owned by whoever posted them.
We are not responsible for them in any way.
|
Apple (Score:3, Funny)
by FigBugDeux on Saturday July 13, @11:09AM (#3877080)
(User #257259 Info | http://slashdot.org/)
|
|
Was there a worm hole in the apple?
|
|
[ Reply to This
| Parent
]
|
|
|
|
That's a good thing. (Score:3, Funny)
by vegetablespork on Saturday July 13, @11:16AM (#3877117)
(User #575101 Info | http://sporks-r-us.com/)
|
|
We wouldn't want all those people more intelligent [slashdot.org] than the rest of us to get rooted.
|
|
[ Reply to This
| Parent
]
|
|
|
how do you update? (Score:3, Funny)
by Anonymous Coward on Saturday July 13, @11:16AM (#3877119)
|
|
Do you use the software update mechanism to update the software update mechanism?
|
|
[ Reply to This
| Parent
]
|
|
|
|
Doesnt MS already do that? (Score:1, Offtopic)
by jeffy124 on Saturday July 13, @11:17AM (#3877128)
(User #453342 Info | http://slashdot.org/ | Last Journal: Friday July 12, @08:47PM)
|
|
IIRC, doesnt MS's Windows Update already do something like SHA1 (or some other algorithm) signiture checking?
|
|
[ Reply to This
| Parent
]
|
|
|
|
Good for Apple! (Score:1, Redundant)
by dpbsmith on Saturday July 13, @11:18AM (#3877134)
(User #263124 Info)
|
|
Subject line says all...
|
|
[ Reply to This
| Parent
]
|
|
|
stating the obvious, but... (Score:3, Interesting)
by siliconwafer on Saturday July 13, @11:24AM (#3877170)
(User #446697 Info)
|
|
As a Tibook owner I'm darn glad Apple is getting more serious about releasing security patches. Now that they've entered the server market (with the Xserve), they really have no choice.
|
|
[ Reply to This
| Parent
]
|
|
|
- 1 reply
beneath your current threshold.
|
Actually, it's only half-fixed... (Score:5, Insightful)
by imac.usr (eventually_it'll_ ... ver@logarithm.net) on Saturday July 13, @11:24AM (#3877173)
(User #58845 Info | http://homepage.mac.com/imac_usr/)
|
|
...that is, until this is backported to OS 9. True, Apple has said that OS 9 is dead, but there's a hell of a lot of installations out there, and they all use an insecure Software Update mechanism as well. Apple needs to do the right thing and fix it for those who haven't upgraded because they can't (like those with hardware whose drivers haven't been updated yet), and to prevent Classic from becoming its own security hole.
|
|
[ Reply to This
| Parent
]
|
|
|
- Re:Actually, it's only half-fixed... by discstickers (Score:2) Saturday July 13, @11:41AM
- I doubt it's even a problem on os9-think different by Pengo (Score:2) Saturday July 13, @11:51AM
Re:Actually, it's only half-fixed... (Score:4, Informative)
by KFury (kevin@slashdot.fury.com) on Saturday July 13, @01:33PM (#3877818)
(User #19522 Info | http://fury.com/)
|
and to prevent Classic from becoming its own security hole.
This wouldn't be a problem for the average user running OS X and classic, since the OS 9 version of software update wouldn't ever be launched. Only the Os X version would be activated regularly to check for updates.
True that until they patch the OS 9 version similarly there will be a lingering risk for people running OS 9 as their primary OS, but not for those using it in Classic mode.
|
|
[ Reply to This
| Parent
]
|
|
| - Re:Actually, it's only half-fixed... by benh57 (Score:1) Saturday July 13, @06:05PM
- Re:Actually, it's only half-fixed... by mattkinabrewmindspri (Score:1) Saturday July 13, @06:51PM
|
they probably had it done anyways... (Score:2, Interesting)
by aveng0 (david@nOsPAm.david.ath.cx) on Saturday July 13, @11:25AM (#3877174)
(User #590814 Info | http://david.ath.cx/)
|
|
the reason it was so quick, was that they had probably included these crypto-features in their new upcoming os release(s)... they could have just done a diff ...
but who knows? maybe they are quick!
- david
|
|
[ Reply to This
| Parent
]
|
|
|
|
check the authenticity of this update too (Score:5, Informative)
by Kevinv (kevin@vanTEAhaaren.net minus caffeine) on Saturday July 13, @11:38AM (#3877233)
(User #21462 Info | http://www.vanhaaren.net/~kevin/)
|
if you want to make sure this update is valid you can read the update info and verify the checksum [apple.com]
or for the extra paranoid, check the secure page [apple.com]
|
|
[ Reply to This
| Parent
]
|
|
|
- Re:check the authenticity of this update too by fermion (Score:3) Saturday July 13, @01:48PM
- Re:check the authenticity of this update too by Tokerat (Score:1) Saturday July 13, @03:01PM
- Re:check the authenticity of this update too by muon1183 (Score:1) Saturday July 13, @03:02PM
Not Quite (Score:4, Informative)
by Llywelyn (llywelyn@mail. c o m) on Saturday July 13, @03:09PM (#3878299)
(User #531070 Info)
|
Yes, so long as the means of communicating the checksum are secure (i.e., not prone to a man-in-the-middle attack).
Actually checksums have been used for years in order to ensure that a program has not been replaced with a malicious bit of code or modified in any way:
For instance, you want to make sure you haven't been hacked and ls hasn't been tampered with to hide the files? Have an checksum for it stored offsite and/or in a secure manner (encrypt it with a symmetric key and pray that key hasn't been compromised as well) and then compare with what pops up when you look at the file.
The idea is that if the file has changed at all, the checksum is going to be different.
Note though that in order for this to work the means by which you receive the checksum *must* be secure. They can be cleartext (such as in this case), but you must be able to confirm the source of the checksum is who you think it is.
Thus, it would be a poor way for the software update mechanism to operate (since the attacker could send a false checksum) but is okay for something like this.
|
|
[ Reply to This
| Parent
]
|
|
| - Re:Not Quite by drinkypoo (Score:2) Saturday July 13, @08:42PM
- Re:check the authenticity of this update too by foniksonik (Score:2) Saturday July 13, @03:10PM
- Re:check the authenticity of this update too by Kevinv (Score:2) Saturday July 13, @06:25PM
- 1 reply
beneath your current threshold.
- check the .dmg not the .pkg by diablo943 (Score:1) Saturday July 13, @12:50PM
- Re:check the authenticity of this update too by chrsbrwn (Score:1) Saturday July 13, @01:35PM
- 2 replies
beneath your current threshold.
|
Good turnaround Apple (Score:3, Insightful)
by PierceLabs on Saturday July 13, @11:44AM (#3877272)
(User #549351 Info)
|
|
Apple has been really taking security seriously lately and this only helps to build confidence that the machine is capable of being used by more novice users who know nothing about the evils of being rooted.
|
|
[ Reply to This
| Parent
]
|
|
|
|
socially engineered hole... (Score:2, Interesting)
by diablo943 (diablo943NO@SPAMmac.com) on Saturday July 13, @12:01PM (#3877367)
(User #583844 Info)
|
|
what a great way to sneak in a little trojan... spoof apple's own software update function and provide it for everyone under the guise of apple acting swiftly to patch a hole. put it up on a spoofed apple page and even provide a verification checksum to ease any suspician.
ah well. would make a good movie twist...
|
|
[ Reply to This
| Parent
]
|
|
|
|
How does SU now check signatures? (Score:1)
by Alex Reynolds (reynolda_@sas.upenn.edu) on Saturday July 13, @12:58PM (#3877642)
(User #102024 Info | http://www.sas.upenn.edu/~reynolda/)
|
It's better that SU looks at checksums of incoming packages, I agree.
But how does it verify the checksums it matches?
If SU is looking up a list of checksums on a web site somewhere, what stops this attack from happening again?
Just set up another spoofed web server that dishes out checksums for bogus packages, and SU thinks everything is okay...
|
|
[ Reply to This
| Parent
]
|
|
|
|
software update (Score:2)
by mrbill (mrbill@mrbill.net) on Saturday July 13, @01:19PM (#3877740)
(User #4993 Info | http://www.mrbill.net)
|
|
Yes, but can we trust the software update to software update? 8-)
|
|
[ Reply to This
| Parent
]
|
|
|
|
It's a mouthful (Score:1)
by robolemon (nertzyNO@SPAMcox.net) on Saturday July 13, @01:29PM (#3877793)
(User #575275 Info | http://students.olin.edu/ghutchins | Last Journal: Saturday July 13, @03:17AM)
|
|
Yeah, but what if they want to add new features and remove bugs and security holes from the software update hole patch? Then they'd have to make a "Software Update Security Hole Patch software update/security hole patch".
|
|
[ Reply to This
| Parent
]
|
|
|
update via software update (Score:1)
by goon america on Saturday July 13, @01:41PM (#3877857)
(User #536413 Info)
|
|
Yes, you can update software update using software update. Here's it's description of the path:
Security Update 7-12-02 delivers a more secure Software Update service to verify that future updates originate from Apple. If you would prefer to download this manually from a secure Apple server you can download the package at http://www.info.apple.com/kbnum/n75304
|
|
[ Reply to This
| Parent
]
|
|
|
Now let's turn the tables. (Score:1, Interesting)
by Anonymous Coward on Saturday July 13, @01:51PM (#3877899)
|
ALL that this quasi-"hole" came down to was, "Wow! If you download software updates from apple.com over the internet, you are susceptable to man-in-the-middle attacks!" what a surprise. I mean, it's a VERY GOOD THING apple has plugged this, i'm just saying if they hadn't no one would have really been hurt :)
Anyway, though, let's just check: how do the other OSes handle this same problem? Someone in another thread claimed that Windows Update used some kind of "SHA-1" hashing, or something. OK. What about the Unix world? How does apt-get validate the checksums of the "new packages" it receives when you run apt-get update? How does "red carpet" do the same? What about the BSD ports system? When you go to www.solaris.com or www.redhat.com or www.kernel.org, and you see on the news page that there's a big new security patch, and you download it, how do you know that that's real and you aren't just looking at something sitting on a compromised router somewhere, masquerading as those sites?
I am just curious.
Maybe if the government would stop dicking with everyone and intentionally making it difficult to widely implement ssh and scp (scp is the ftp/ssh thing, right?) on a large scale in software projects such as web browsers, we'd have scp everywhere by now, and web browsers would default to https, and the public keys for ftp.apple.com and ftp.microsoft.com and ftp.debian.org would all be logged in the "trusted public keys" files of those respective OSes by default, and this wouldn't be a problem, becuase netscape and internet explorer would give you big warning signs everywhere when the ftp site you are looking at isn't the one you think it is.. and everyone would be just that much safer from being subject to service interruptions because of social engineering.
|
|
[ Reply to This
| Parent
]
|
|
|
|
New softwareupdate command (Score:3, Interesting)
by znu (znu@znu.dhs.org) on Saturday July 13, @02:17PM (#3878052)
(User #31198 Info)
|
|
This update also adds the command-line updating tool that comes with Xserve. See 'man softwareupdate'.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Not a solution, just requires a different attack (Score:1, Interesting)
by gerardrj on Saturday July 13, @03:14PM (#3878321)
(User #207690 Info | Last Journal: Sunday June 30, @12:41AM)
|
|
So now the packages are signed with some sort of checksum, like PGP or GPG or MD5. But the whole verification process is automated. So the installer now goes and gets the checksum from an Apple server. A hacker now just has to do some more work. Instead of just the DNS misdirection, they now need to create a checksum for their bad/malicious code. The updater will query their fake update server for the now forged checksum and see it matches the fake update package that was retrieved from the same hacked up server. Even if they automatically get the checkum from a specific IP or set of IPs, all one has to do is create a server with that IP and insert it in the network and get a few routers to change their IP routing tables. If they use a third party to verify the downloaded checksum is authentic, that server itself is vulnerable to the DNS and IP routing 'man in the middle' attacks. This just makes the haker's job a little more complex. But if they have privs to alter DNS on a server this is just two minutes extra work.
This whole thing is just silly. The initial problem was a non-problem. The solution doesn't provide any substantial obsticle to someone that wants to perpetrate such an attack. There in fact is no solution other than a 1-1 split key system. I generate a public key one time and send it to Apple. They then use that key to encrypt/sign all the updates sent to me. I use the private key to verify/decrypt the update and install it. I know that only Apple has my public key so I can be safe. The problem here of course is that Apple needs to store potentially millions of public keys on their servers, and use a lot of CPU to do the unique signing/encrypting as people request the updates. The split key eliminates the man in the middle, as they have no way to get ahold of each user's public key. They can't fake one, and no amount of DNS or IP redirection (other than the initial sending of the public key) will allow them to masquerade as the authentic site.
|
|
[ Reply to This
| Parent
]
|
|
|
Re:Not a solution, just requires a different attac (Score:4, Insightful)
by gfilion (${firstname}@${lastname}.org) on Saturday July 13, @03:30PM (#3878404)
(User #80497 Info | http://guillaume.filion.org/)
|
|
A hacker now just has to do some more work. Instead of just the DNS misdirection, they now need to create a checksum for their bad/malicious code. The updater will query their fake update server for the now forged checksum and see it matches the fake update package that was retrieved from the same hacked up server. Ever heared about public key cryptography? They sign their packages with their private key, and their public key is hard coded in the software. It's not just a checksum, it's a cryptographically signed checksum. It's pretty safe. To sign a checksum for his bad code, the attacker needs to crack Apple's private key. Which can take a few weeks if you're the NSA, but a few hundreds years if you're anyone else.
|
|
[ Reply to This
| Parent
]
|
|
|
|
Other Problems with Software Update (Score:2, Interesting)
by namespan (namespansdNO@SPAMmmedia.csoft.net) on Saturday July 13, @03:59PM (#3878517)
(User #225296 Info)
|
1) If you download a package, and for some reason, it doesn't install right off (any kind of error, or even if you're just not ready yet), Software Update FORGETS IT HAS DOWNLOADED IT. This is particularly frustrating when you have just downloaded an 18 MB package over your modem, and you have to do it again.
2) If you download part of a package, of course, it doesn't use any kind of smart downloading process to pick up where it left off. Arg.
3) What is this with everything requiring 300 MB to install 20 MB pieces of software? Sure, that's sneezing space for those of you with 40 GB drives, but some of us are still running mere 5 Gig machines.
|
|
[ Reply to This
| Parent
]
|
|
|
|
hmmm (Score:3, Funny)
by owenc on Saturday July 13, @05:20PM (#3878786)
(User #255848 Info | http://www.geocities.com/owencannon | Last Journal: Thursday April 04, @09:11PM)
|
|
doesn't seem to be compatible with the 10.1.3.1337 update that came out yesterday :(. in fact, all my programs don't launch anymore. not even aol.
|
|
[ Reply to This
| Parent
]
|
|
|
- 1 reply
beneath your current threshold.
|
Gee... (Score:1)
by newestbob on Saturday July 13, @07:01PM (#3879082)
(User #589866 Info | http://www.yahoot.com/)
|
|
...when Apple plugs a hole...5 days later...you praise them for being quick. When Microsoft has an auto-update for XP, you bash them.
|
|
[ Reply to This
| Parent
]
|
|
|
Re:Wow (Score:2)
by Peyna (peyna.parlorcity@com) on Saturday July 13, @11:26AM (#3877178)
(User #14792 Info | http://picek.ath.cx/ | Last Journal: Sunday March 24, @10:37PM)
|
|
What bug-free and/or 100% secure OS's exist? How would ever know if it was 100% secure?
|
|
[ Reply to This
| Parent
]
|
|
|
- Re:Wow by TellarHK (Score:2) Saturday July 13, @12:59PM
- 1 reply
beneath your current threshold.
|
Re:Impressive. Now if they weren't control freaks. (Score:1)
by Bobartig on Saturday July 13, @01:14PM (#3877718)
(User #61456 Info)
|
|
If you're really that concerned with the politics of your hw, there's really very little related to computers you *COULD* buy. What with scandals abound from M$ and apple, all the lawsuits involved with DRAM mnfr's, shoddy HD's, and optical/removable drives with deplorable MTBF ratings (compared to parts being made 10 years ago), and all the bad mouthing and CSR nightmares in between, it's amazing you found a box to post on today.
|
|
[ Reply to This
| Parent
]
|
|
|
Re:Funny (Score:1)
by Bobartig on Saturday July 13, @01:32PM (#3877807)
(User #61456 Info)
|
Well, then the story comes out that they knew about the security hole before the SW reached the shelves, but it was after GM, so they conveniently "obscured" reports of it until a few months later when the release hoopla has died down, and they can release the patch without too much embarrassment.
On the flip side of things, 5 days really isn't "that" fast, or newsworthy. But what can you do? M$ is the badguy and any publicity is bad, and Apple's the underdog, and any publicity is good.
|
|
[ Reply to This
| Parent
]
|
|
|
Re:Funny (Score:5, Insightful)
by jamie (jamie@@@slashdot...org) on Saturday July 13, @01:37PM (#3877834)
(User #78724 Info | http://jamie.mccarthy.vg/ | Last Journal: Saturday July 13, @10:50AM)
|
"When Microsoft announces a patch for Windows two days after a security hole is found, they get bashed for publishing insecure software.
When Apple fixes a hole five days after acknowledging it, they're praised for being so quick to patch it." The situation is not quite comparable... The last n Microsoft security holes that I've seen have been discovered by security groups which reported them privately to Microsoft, and worked with Microsoft for typically a month or two to get the patch out. Then the vulnerability was announced the same day as the patch release. A few days or weeks later, an exploit for the vulnerability was posted someplace reasonably mainstream. Not so here. The Apple vulnerability was just posted to bugtraq along with an exploit. No indication was made that any attempt to contact Apple was made, much less working privately with Apple while the problem was resolved. http://www.cunap.com/~hardingr/projects/osx/exploi t.html [cunap.com] http://online.securityfocus.com/archive/1/280964 [securityfocus.com] Also this wasn't the worst vulnerability ever found. If someone poisons your DNS server they really can do all manner of bad things to you; Software Update is (was) just one of many concerns you should have. Keep your DNS servers secure!
|
|
[ Reply to This
| Parent
]
|
|
|
Re:"Mac's don't have bugs" (Score:2)
by jimbolaya on Saturday July 13, @03:50PM (#3878490)
(User #526861 Info | http://slashdot.org/)
|
|
Yeah, yeah, yeah, and Microsoft doesn't have bugs, either. They have service packs...and service packs...and service packs...
|
|
[ Reply to This
| Parent
]
|
|
|
Re:And if this was Microsoft (Score:2)
by feldsteins (<moc.cam> <ta> <nietsdlefttocs>) on Saturday July 13, @08:22PM (#3879274)
(User #313201 Info | http://home.wi.rr.com/sfeldstein/scott)
|
I think you're right. They would be bitching about how slow Microsoft is with the update. But surely you're not suggesting Apple is getting a free ride in the Slashdot forums. Apple takes a hell of a beating here or haven't you noticed that the main discussion here begins with 5 "jokes" at Apple's expense?
The more daring observation would be:
"If this were a Linux distro putting out an update they would be praised for how quickly and efficiently they had handled the situation." Or at least they would be instantly forgiven for having taken 5 days.
|
|
[ Reply to This
| Parent
]
|
|
|
Linux is Funnier (Score:2)
by feldsteins (<moc.cam> <ta> <nietsdlefttocs>) on Saturday July 13, @08:35PM (#3879314)
(User #313201 Info | http://home.wi.rr.com/sfeldstein/scott)
|
The real truth of the matter is that it's not Apple who gets a free ride here at Slashdot - it's Linux. Usually when a Linux distro is patched/updated the story on the front page ( and it's always on the front page) usually includes the word "drool" and at least one exclamation point. Apple takes their lumps here same as Microsoft. Worse in many ways because more than half the people here are at least dual-booting a MS OS. Almost none are using an Apple one. But when do the Linux guys get criticised here? About anything?
And just for the record [slashdot.org].
|
|
[ Reply to This
| Parent
]
|
|
|
| 24 replies
beneath your current threshold. |
