Mac OS X Software Update Vulnerability Found || The Mac Observer

Skip navigational links

Choose text size:

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Mac OS X Software Update Vulnerability Found

Mac OS X Software Update Vulnerability Found

by , 1:40 PM EDT, July 8th, 2002

Security Focus Online posted a brief bug report on a security vulnerability within Mac OS X's Software Update application. The security hole could allow a malicious application to be installed with root authentication while pretending to be another "official" update from Apple. Root access is a Unix term that refers to having complete control over a computer, and user access to "root" is turned off by default in Mac OS X (see our tutorial on enabling root for more information). From the report:

Summary:

Mac OS X includes a software updating mechanism "SoftwareUpdate". Software update, when configured by default, checks weekly for new updates from Apple. HTTP is used with absolutely no authentication. Using well known techniques, such as DNS Spoofing, or DNS Cache Poisoning it is trivial to trick a user into installing a malicious program posing as an update from Apple.

Impact:

Apple frequently releases updates, which are all installed as root. Exploiting this vulnerability can lead to root compromise on affected systems. These are known to include Mac OS 10.1.X and possibly 10.0.X.

An example exploit of this vulnerability is documented and at the current time there is no work around. This vulnerability affects all versions of Mac OS X.

The Mac Observer Spin:

Security vulnerability such as this may seem like a small piece of news, but the implication of how such a hole could be exploited is great. An unsuspecting user could check for updated software today and find a software update titled "Mac OS X 10.1.6 Update." That user would probably without thinking start the download and installation, entering the admin password in the process. This gives the "update" full access to the machine and the opportunity to really muck things up.

For a long time Apple products have seemed to be void of security vulnerabilities -- at least when compared to Microsoft offerings. Now that we have entered the age of Mac OS X, a good deal more attention is being devoted to Apple and the Macintosh platform by all types of people. This will bring more viruses, more security holes found, and more security holes exploited by malicious individuals. Apple has so far made an excellent effort to plug these holes as quick as possible, something our friends in Redmond might take to heart.

Warning: include(/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/extension.inc) [function.include]: failed to open stream: No such file or directory in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 108

Warning: include() [function.include]: Failed opening '/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/extension.inc' for inclusion (include_path='.:/usr/share/php5:/usr/share/php') in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 108

Warning: include(/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/common.) [function.include]: failed to open stream: No such file or directory in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 110

Warning: include() [function.include]: Failed opening '/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/common.' for inclusion (include_path='.:/usr/share/php5:/usr/share/php') in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 110

Warning: include(/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/includes/bbcode.) [function.include]: failed to open stream: No such file or directory in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 112

Warning: include() [function.include]: Failed opening '/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/includes/bbcode.' for inclusion (include_path='.:/usr/share/php5:/usr/share/php') in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 112

Fatal error: Call to a member function sql_query() on a non-object in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 532

Recent Headlines - Updated May 24th

Fri, 10:18 AM: News - AT&T Hits Customers with a New Administrative Fee
9:22 AM: News - Google, Facebook May be Facing Waze Bidding War
6:22 AM: TMO Quick Tip - Terminal: Using “lsof” When Files Won’t Delete
Thu, 9:31 PM: News - Judge Cote Likely to Side with U.S. Against Apple
7:02 PM: Editorial - Microsoft Commercials Take Swipes at Apple’s iPad
5:59 PM: Product News - Apple Updates Fuji-Xerox Printing & Scanning Drivers
4:57 PM: Reuters Traces Apple’s Irish Operations Back to 1980
2:01 PM: News - Apple Reportedly Plans WWDC Keynote for Monday, June 10th
1:15 PM: Rumor - Analyst: iWatch Coming in 2014 with Biometrics
11:30 AM: Editorial - Pondering Those Who Dis Apple’s CEO Tim Cook [VIDEO]
10:37 AM: Mailbox, Now with iPad Support
9:41 AM: News - Apple Says Samsung Galaxy S4 Violates 5 Patents

The Mac Observer Reader Specials

Support TMO, Buy from Amazon, MacMall and The Apple Store

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.