“A security mailing list has alerted Apple’s OSX users to a program that could let a hacker piggyback malicious code on downloads from the company’s SoftwareUpdate service.” Read the report at ZDNews.
Hacker Cracks Apple Downloads
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
quote:
This “hack” is a LOT of work, and applies to ANY updater that connects to a website! “Oh no! I can’t update my software because I can’t trust what’ll happen when I type www!!!”
—–
wrong. for example, WindowsUpdate uses a encrypted hash key to verify that it is authentic. debian and gentoo uses md5 to check if the files is correct (in gentoo, this is stored in the portage tree, which is stored elsewhere than the updates, etc). so that makes it just a little bit more difficult. if the md5/hash isnt correct, the file/update/whatever is rejected.
That was the most misleading article I’ve ever read, especially the headline. I’ve seen the original message on BugTraq and all it says is that software update doesn’t employ authentication and the packages downloading aren’t digitally signed. That’s definitely not good but its a far cry from “Hacker Cracks Apple Downloads”. Why don’t they mention the many thousands of other companies that post software updates on their website that aren’t digitally signed?
ZDNews sucks…
The didn’t mention the fact that most companies don’t take those extra security precautions because of an anti-Apple conspiracy brewing. Just kidding. It was definately a fluff piece though.
It was nice to have it pointed out from a non-malicious source however. That would be said hacker, not ZDNet
So how could you exploit this? How well does DNS spoofing work outside a LAN? And is f.e. apt-get more secure?
Interested, Jens
This “hack” is a LOT of work, and applies to ANY updater that connects to a website! “Oh no! I can’t update my software because I can’t trust what’ll happen when I type www!!!”
although DNS poisoning is possible, an attact of this kind would probbly use compromised routers ala BitchX back door hack.
If I’m going to go to the trouble to poison your dns for the update site, I could do the same when you download the md5 checksums. md5 checksums don’t provide security they check file integrity. The only really secure (in my opinion) way to update is to ship a public key on the installation media and sign all updates with the private key.
well, md5 also checks/verify’s if a file has been modified, ergo, a new md5 hash, ergo, the file is rejected.
and no, im not saying that md5 is secure, but its better than nothing. the best would ofcourse be to use some sort of private key/rsa hash/or similar.
ok, Apple should sign or encrypt and/or otherwise tamperproof the software updates but DNS spoofing is nothing new and certainly not a “Hacker Crack[s]ing Apple Downloads”. All this FUD by non-knowledgeable people is getting way too much media coverage… Nothing to see here, move right along…