Remember Mac OS X’s first high-profile security vulnerability? A very long time ago, when most of the Mac community still thought of UNIX as a promised land of security, stability and compatibility, when Apples were still blue and glossy, when the Dock was still wearing its stripy baby costume, it was discovered Software Update could be lured into downloading rogue updates from a malicious server. Panic ensued, as well as an update, that Apple promptly and dutifully issued. The Mac world was hurt but not defeated. Yet, that very issue that prompted so much frantic updating persists in a great many applications to date. Somehow, nobody seems to care.
Where, might you ask? In a lot of sweet-looking, fun, unassuming pieces of software. Indeed, in an effort to better distribute updates and sometimes, indeed, increase the security of their users by providing them with timely access to patches and updates, developers have built in rather simple and effective version detection mechanisms: ping server, passing along version info, get reply, parse reply and display a reassuring dialog or follow link. Barely a couple years ago, Virex, the .Mac anti-virus used this very mechanism to download definition files. In fact, one barely needed to load a special URL on Apple’s site to read, in simple text, the instructions the application was to follow.
That is all very fine and dandy, of course, but it omits to secure anything. When on a LAN, how easy is it for an attacker to redirect such queries to an internal server? Any single computer can suddenly become authoritative for updates, all the more easily that such mechanisms often rely on very open protocols — which, in itself, is a good thing.
Of course, some applications also download signatures and check them. How much protection does this provide however if the signature is downloaded over the same channel as the update? Some degree, for sure, if it is a real signature we are talking about, absolutely none if we are barely dealing with a checksum - though checksums assuredly are a great way to detect transmission errors.
One might object that no Mac application is significant enough to make this a viable vector for attack. I beg to disagree. How many developers, for example, are connecting to the Macworld or ADC wireless networks, with the same load of Text Editors, Mail clients and devleopment environments? How many of them are staying at the W Hotel near Moscone or the Marriott next door? How much variation does exist between laptops furnished by a single school or corporation? Sure, targeting application X for Jaguar on a randomly chosen public HotSpot is not likely to lead to good results. But there are plenty of scenarios where it is easy to guess what users will be running and wait for their applications to query the server, download whatever one wants them to download and, worst, automatically run it unannounced.
What, then, are developers to do? Sign applications? Assuredly but that is not doable as of today on the Mac (at least not as easily as one would wish) and even that would be too little too late - since the downloaded archive would already have been unpacked. Sign the archives? Sure. SSL the servers? Also. Of course, none of these solutions really is satisfactory: they all involve added expense for the developer and make for heavier server management practices. They are, however, the only real way to plug that hole as we know it today.
Ideally, I would like to see a Third-Party Software Update, endorsed by Apple, where developers could store their applications and make them available for download from a secure, trusted server. Heck, Apple could make the service available for a small fee, I am sure most developers would find an advantage in that - bandwidth costs reduction to begin with.
Of course, it would be impractical for Apple to verify all the applications that are stored there and I guess the legal department would brandish that one fact as proof the system is unreasonable. After all, though, why should Apple be concerned about that? The service would assure users they are downloading a genuine update to whatever application they are using: if that application is a Trojan Horse, well, at least it is the genuine Trojan you are downloading. It is still a big improvement. Adding signatures to individual files would make it easier to verify the archives that are downloaded do belong to a specific developer, providing an additional layer of protection. Finally, users and system administrators would only need to care about a single point of updating instead of dozens of them: that makes for a great fewer holes at the firewall level and increased security for the network - at least, hopefully.
Silly? Maybe. You decide and I will read your ideas with the greatest of interest in the comments!