Tuesday, February 25, 2014

Software Update Backdoor?


Another question I asked myself was: Is Software Update actually contacting Apple servers or am I being served a compromised update with even more security holes by the NSA?

Does it matter where the update comes from if it’s signed by Apple?

Update (2014-02-26): Nat!:

To get at the meat, use xar -x -f which will get you eventually to a file called Payload. That is a bzip2 encrypted tararchive. Now I find this quite hilarious. After all the hoops Apple went through, with xar, cpio, pax and what have you, they finally use tar to install, as they maybe should have right from the beginning.


Sometimes, it does matter, yes… It all depends on what actually gets downloaded and displayed to the user.

If it's a simple binary, assuming that there are no vulnerabilities in the signature check mechanism itself, which could happen, then one might be safe in thinking it will be rejected by the system if tampered with. These are big « ifs » by the way: a malformed document could conceivably backdoor the system when it is being downloaded and analysed. (Look at how often that happens with anti-virus software and email gateways, for example.)

If anything resembling web content (for example release notes) is being displayed, then it does matter a great deal, as WebKit is rife with issues.

This used to be a big issue with the Sparkle update framework (and still is, actually): companies would check the binary but would not serve the release notes over HTTPS, making it « easy » to inject a poisoned web view every time a Sparkle-enabled application updated itself. (Of course, this was back when we still thought HTTPS was the bee's knees.)

Relying on signing alone has become a little bit questionable, given how much malware is actually properly signed nowadays, and how much software is out there that does not check signatures properly.

@Lukas Are you saying that there is current malware that the OS thinks is signed by Apple?

@Michael: Probably not. There is Mac malware that's being recognized by Mac OS X as properly signed, though (e.g. OSX/LaoShu-A). This is not signed by Apple, but it's signed with a certificate that's issued by Apple.

There's also malware that piggybacks on properly signed software (e.g. Troj/Plugx-G piggybacks on properly signed Windows Nvidia software).

And finally, there are instances of malware that are signed with stolen certificates (e.g. Stuxnet, Trojan.Multi.Mediyes.a).

So I wouldn't be comfortable relying on signing as the sole defense.

[…] Nat! was wondering about this possibility last year. […]

Not convinced about the tar bzip2 thing.

Payload files are in the vast majority of cases gzip-compressed cpio archives. (e.g. the latest OS X Server.app installer).

bz2 is supported as a compression format but I haven't seen it being used in the wild. Maybe it's used for the Mac App Store installation packages, but it's not for packages outside the Mac App Store.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment