X

Hacker to Apple: Watch those downloads

A security mailing list says Apple OS X users may unwittingly allow a hacker to piggyback malicious code on downloads from Apple's SoftwareUpdate service.

2 min read
A security mailing list has alerted Apple Computer OS X users to a program that could let a hacker piggyback malicious code on downloads from the company's SoftwareUpdate service.

According to the BugTraq mailing list, a hacker named Russell Harding has posted full instructions online for how to fool Apple's SoftwareUpdate feature to allowing a hacker to install a backdoor on any Mac running OS X.

The exploit takes advantage of SoftwareUpdate, Apple's software updating mechanism in OS X, which checks weekly for new updates from the company. According to Harding, who claims to have discovered the exploit, the feature downloads updates over the Web with no authentication and installs them on a system. So far, there are no patches available for this problem.

"Apple takes all security notifications seriously and is actively investigating this report," a company representative said.

Harding stressed that the exploit is a simple one if using several well-known techniques, including domain-name service (DNS) spoofing and DNS cache poisoning.

DNS spoofing is an attack where an individual seeks out a numerical IP (Internet Protocol) address (for example, 1.2.3.4) corresponding to a specific Internet address (for example, www.cnet.com), but an attacker's computer intercepts the request. The attacker then sends back a false IP address that corresponds to a hostile server.

DNS cache poisoning has similar results, but instead of intercepting a request for an IP address, the attacker uses a variety of techniques to replace the valid address in an official DNS server with an address pointing to the attacker's computer.

When SoftwareUpdate runs normally, a person's computer connects via HTTP to an Apple.com page and sends a simple request for an XML document containing the latest inventory of OS X software. The Apple.com site returns the document, which the person's computer then cross-checks against what it has installed.

After the check, OS X sends a list of software that needs to be updated to another page on Apple.com. If an update for the software is available, the SoftwareUpdate server responds with the location of the software, its size, and a brief description. If not, the server sends a blank page with the information, "No Updates."

On his Web site, Harding provides two programs that he says have been customized for carrying such an attack. One program listens for DNS queries for updates, and when it receives them replies with spoofed packets rerouting them to the attacker's computer.

The second program, which is downloaded onto a victim's Mac and masquerades as a security update, contains a copy of the encrypted communications program, Secure Shell.

Automatic updates of software--particularly operating system software--is a growing trend. Several Linux companies offer this feature for their distributions of the open-source operating system, and Microsoft recently launched a similar service called Microsoft Software Update Services.

ZDNet U.K.'s Matt Loney reported from London. News.com's Robert Lemos contributed to this report.