Design flaws bite Apple
- 28 July, 2002 22:00
Along with the warning Harding released software demonstrating the exploit. It attempts to convince the user to accept a “security update” that installs a version of SSH (Secure Shell) that allows a hacker to log into any account on the system with the password of “URhacked!”.
Harding described the attack as “trivial”, but the truth is somewhat murkier than that.
Essentially, the problem comes about because the software update program’s only form of security has been the name of the Apple server hard-coded into it. Once the program has connected to the Apple server it communicates with it using unencrypted streams to download an XML file and then download any necessary updates. By default the software checks for these updates automatically and asks the user if they want to install them.
It may be possible for another program to intercept these transactions and perform a man-in-the-middle attack, but the most likely form of attack would be to convince your computer that the hacker’s computer is Apple's server. This can be done by convincing a DNS server to which you connect to report the hacker's IP address instead of the Apple server's one. To do this that server needs to be vulnerable to having its cache “poisoned”.
This attack on the DNS is not particularly straightforward either. The hacker needs to set up a DNS that contains records for www.anywhere.com and then convince you somehow to request that domain name from your server. When your server requests that domain name, the hacker’s server returns the www.anywhere.com details, but sneaks in additional information for the Apple software update server with the hacker's IP details. If your server is vulnerable, it will now report that address when your computer queries it to perform an update check.
However, this whole exercise would be pointless if the software update program could somehow verify that the software does in fact come from Apple. In other words, this fault is not a bug in the software but a systematic failure caused by a design flaw.
The good news is that Apple has resolved this problem with the release of Security Update 7-18-02. This update is different to the recently released Security Update July 2002 (which corrects bugs found in Apache and OpenSSH). It in fact replaces the Software Update program with a version that ensures updates have been signed by Apple using its private key before installing them.
You can check to see whether this update has been installed by opening up the software update panel in the system preferences and clicking the "update now" button. If you have already installed it, your system will report that it is “up to date”. While you are there, I would also strongly recommend changing the preference for updating software from automatically to manually, so that you have full control over what is installed on your computer.
While it is laudable that Apple responded so quickly to this reported problem and produced an update within days, the question of why this technique wasn't part of the original design -- when it has been in common use by other vendors -- has to be asked.