Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » Coldspots

Fingers in the Pie

When hands get red.


Get It

Try It

Take the 10.6.3 update. But stop in your tracks when you see this alert.

Don't dismiss it - just ignore it. For now. And scoot over to your hard drive at path /private/var/db and see what you find. You'll find something like this - with a curious zero-length file called .SoftwareUpdateAtLogout. That really sticks out.



How did it get there? you may ask. And what does it mean? You might check further file info for .SoftwareUpdateAtLogout and you'll be even more perplexed.



That file .SoftwareUpdateAtLogout is owned by root:wheel and you are neither the one nor the other. And if you check the parent directory you'll see it too is owned by root:wheel and nobody but root can get in there to modify anything.

But you didn't give the installer your password, did you? Leopard users still do but you didn't, did you? No you didn't.

So how was the installer able to create that file .SoftwareUpdateAtLogout?

This isn't a Learning Curve article - this isn't a mystery to solve. This is an article that will hopefully open your eyes - and your mind - to what is going on.

Apple once proscribed such behaviour. They once made it clear this was a Bad Thing™.

Now they've changed their minds again.

  • Apple are updating your system files without your explicit authorisation.
  • Apple don't have to tell you they're doing anything even though it's your computer.
  • You're 'pwned' as soon as the black hats figure out how to exploit Apple's cute new 'system hack'.

6 items, 733464298 bytes, 1432568 blocks, 0 bytes in extended attributes.

/Library/Updates/index.plist
/Library/Updates/ProductMetadata.plist
/Library/Updates/zzz061-8024
/Library/Updates/zzz061-8024/061-8024.English.dist
/Library/Updates/zzz061-8024/MacOSXUpd10.6.3.pkg
/Library/Updates/zzz061-8024/RosettaFor10.6.3.pkg

Special Links
Rixstep Coldspots: AdminAuthorization
Rixstep Coldspots: .SoftwareUpdateAtLogout
Rixstep Coldspots: Security Update 2006-007
Digg: How a Malformed Installer Package Can Crack Mac OS X
Mac Geekery: How a Malformed Installer Package Can Crack Mac OS X

'I didn't have to enter my password to update. Is this typical for everyone?'
 - 'zapblast' at the MacRumors forums
'The media buzz over Opener went on the better part of a month and was then forgotten, but the fact remains that it is the single biggest security hole ever in the history of modern operating systems. No other operating system has ever offered such effortless escalation to superuser.'
 - Rixstep Industry Watch on Opener 3.9

See Also
Industry Watch: Opener 3.9
Learning Curve: Rooting 10.5.4
Developers Workshop: 061-7784
Industry Watch: Get Root on 10.5.4
Industry Watch: ARDAgent Here to Stay?
Coldspots: The Strange Case of Safari 4.0.5
Learning Curve: Of Sticky Bits & Preferences
Learning Curve: ARDAgent on Snow Leopard
Hotspots: SLIPOC — Root Exploit of Mac OS X
The Technological: Walking into an Apple Store
Red Hat Diaries: Number One at Almost Everything
Learning Curve: Symantec's OS X Threat Landscape
Learning Curve: Rootkits Roam the World of Windows
Industry Watch: For Apple, This is the Year That Wasn't

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.