According to the BugTraq mailing list, a hacker named Russell Harding has posted full instructions online for how to fool Apple's SoftwareUpdate feature to allowing a hacker to install a backdoor on any Mac running OS X.

The exploit takes advantage of SoftwareUpdate, Apple's software updating mechanism in OS X, which checks weekly for new updates from the company. According to Harding, who claims to have discovered the exploit, the feature downloads updates over the Web with no authentication and installs them on a system. So far, there are no patches available for this problem.

"Apple takes all security notifications seriously and is actively investigating this report," a company representative said.

Harding stressed that the exploit is a simple one if using several well-known techniques, including domain-name service (DNS) spoofing and DNS cache poisoning.

DNS spoofing is an attack where an individual seeks out a numerical IP (Internet Protocol) address (for example, 1.2.3.4) corresponding to a specific Internet address (for example, www.cnet.com), but an attacker's computer intercepts the request. The attacker then sends back a false IP address that corresponds to a hostile server.

DNS cache poisoning has similar results, but instead of intercepting a request for an IP address, the attacker uses a variety of techniques to replace the valid address in an official DNS server with an address pointing to the attacker's computer.

When SoftwareUpdate runs normally, a person's computer connects via HTTP to an Apple.com page and sends a simple request for an XML document containing the latest inventory of OS X software. The Apple.com site returns the document, which the person's computer then cross-checks against what it has installed.

After the check, OS X sends a list of software that needs to be updated to another page on Apple.com. If an update for the software is available, the SoftwareUpdate server responds with the location of the software, its size, and a brief description. If not, the server sends a blank page with the information, "No Updates."

On his Web site, Harding provides two programs that he says have been customized for carrying such an attack. One program listens for DNS queries for updates, and when it receives them replies with spoofed packets rerouting them to the attacker's computer.

The second program, which is downloaded onto a victim's Mac and masquerades as a security update, contains a copy of the encrypted communications program, Secure Shell.

Automatic updates of software--particularly operating system software--is a growing trend. Several Linux companies offer this feature for their distributions of the open-source operating system, and Microsoft recently launched a similar service called Microsoft Software Update Services.

ZDNet U.K.'s Matt Loney reported from London. News.com's Robert Lemos contributed to this report.

Related Quotes

Quotes delayed 20+ minutes

	APPLE COMPUTER INC	AAPL	17.53	0.00

Quote Lookup:   Symbol Lookup

Streaming Real Time Quotes

Related News
• Apple aims for Uncle Sam connection July 3, 2002
• Get this story's "Big Picture"

Reader Resources
• Mac OS X guide
• The great OS switch: Tips on moving from PC to Mac or Mac to PC

Also from CNET Networks
• Find out if DSL is available in your neighborhood
• Need to back up a PC or a Mac? Check out these speedy and portable CD burners.
• ZDNet: Tablet PCs--it's the cool factor
• There are now over 1 million open tech jobs. Find the right one for you.
• CNET News.com Vision Series: HP CIO Bob Napier talks about integration