COMMAND

	MacOS X SoftwareUpdate Hi-jacking

SYSTEMS AFFECTED

	MacOS 10.1.X and possibly 10.0.X

PROBLEM

	Russell Harding [hardingr@cunap.com] with the  help  of  Spectre  Phlux,
	KrazyC, Devon, and The Wench, posted :
	

	Mac OS X includes  a  software  updating  mechanism  \"SoftwareUpdate\".
	Software update, when configured  by  default,  checks  weekly  for  new
	updates from Apple. HTTP is  used  with  absolutely  no  authentication.
	Using well  known  techniques,  such  as  DNS  Spoofing,  or  DNS  Cache
	Poisoning it is trivial to trick a  user  into  installing  a  malicious
	program posing as an update from Apple.
	

	Apple frequently releases updates, which  are  all  installed  as  root.
	Exploiting this vulnerability can lead to root  compromise  on  affected
	systems.
	

	 Exploit  

	 =======

	

	Get it from :
	

	http://www.cunap.com/~hardingr/projects/osx/exploit.html

	

	The exploit for this vulnerability has been released to the  public  for
	testing purposes. It  is  distributed  as  a  Mac  OS  X  package  which
	includes DNS and ARP  spoofing  software.  Also,  it  includes  the  cgi
	scripts, and apache configuration  files  required  to  impersonate  the
	Apple SoftwareUpdatesServer.

SOLUTION

	 Update (15 July 2002)

	 ======

	

	Patch        is        now         availible         from         apple:
	http://download.info.apple.com/Mac_OS_X/061-0074.20020712/2z/SecurityUpdate7-12-02.dmg.bin