Crunch time for Apple OS security

Users took a bite out of Apple yesterday after security experts issued an alert detailing how malicious hackers could inject code running as root into a Mac.

Russell Harding, of the University of Colorado, released the advisory to the Bugtraq mailing list yesterday.

The flaw lies in the Mac OSX automatic software updating system, which checks for and downloads updates from Apple on a weekly basis.

The update mechanism carries out its tasks over plain old HTTP without any form of authentication.

"Using well known techniques, such as DNS spoofing, or DNS cache poisoning, it is trivial to trick a user into installing a malicious program posing as an update from Apple," warned Harding.

DNS spoofing and cache poisoning are methods of fooling a machine into thinking that a rogue computer is legitimate. For those in the know, it is easy to carry out.

The vulnerability is further compounded by the fact that Mac OSX updates are installed as root.

"Exploiting this vulnerability can lead to root compromise on affected systems. These are known to include Mac OS 10.1.X and possibly 10.0.X," said Harding.

Harding has released a full exploit for this vulnerability in a bid to "convince Apple that it needs, at the very least, some basic authentication in SoftwareUpdate". The package includes everything needed to impersonate the update site.

Apple has not yet released any sort of patch, but is looking into the matter.

The most obvious solution, according to other experts on Bugtraq, is to add some form of authentication.

"Apple doesn't even post MD5 sums of the files, let alone a PGP/GnuPG signature. There is absolutely no verification of the packages as far as I can tell," said Kurt Seifried of security firm iDefense.