Home » Industry Watch » Coldspots
Fingers in the PieWhen hands get red.
Take the 10.6.3 update. But stop in your tracks when you see this alert.
Don't dismiss it - just ignore it. For now. And scoot over to your hard drive at path /private/var/db and see what you find. You'll find something like this - with a curious zero-length file called .SoftwareUpdateAtLogout. That really sticks out.
How did it get there? you may ask. And what does it mean? You might check further file info for .SoftwareUpdateAtLogout and you'll be even more perplexed.
That file .SoftwareUpdateAtLogout is owned by root:wheel and you are neither the one nor the other. And if you check the parent directory you'll see it too is owned by root:wheel and nobody but root can get in there to modify anything.
But you didn't give the installer your password, did you? Leopard users still do but you didn't, did you? No you didn't.
So how was the installer able to create that file .SoftwareUpdateAtLogout?
This isn't a Learning Curve article - this isn't a mystery to solve. This is an article that will hopefully open your eyes - and your mind - to what is going on.
Apple once proscribed such behaviour. They once made it clear this was a Bad Thing™.
Now they've changed their minds again.
- Apple are updating your system files without your explicit authorisation.
- Apple don't have to tell you they're doing anything even though it's your computer.
- You're 'pwned' as soon as the black hats figure out how to exploit Apple's cute new 'system hack'.
6 items, 733464298 bytes, 1432568 blocks, 0 bytes in extended attributes.
/Library/Updates/index.plist
/Library/Updates/ProductMetadata.plist
/Library/Updates/zzz061-8024
/Library/Updates/zzz061-8024/061-8024.English.dist
/Library/Updates/zzz061-8024/MacOSXUpd10.6.3.pkg
/Library/Updates/zzz061-8024/RosettaFor10.6.3.pkg
Special Links Rixstep Coldspots: AdminAuthorization Rixstep Coldspots: .SoftwareUpdateAtLogout Rixstep Coldspots: Security Update 2006-007 Digg: How a Malformed Installer Package Can Crack Mac OS X Mac Geekery: How a Malformed Installer Package Can Crack Mac OS X
'I didn't have to enter my password to update. Is this typical for everyone?' - 'zapblast' at the MacRumors forums 'The media buzz over Opener went on the better part of a month and was then forgotten, but the fact remains that it is the single biggest security hole ever in the history of modern operating systems. No other operating system has ever offered such effortless escalation to superuser.' - Rixstep Industry Watch on Opener 3.9
|