• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] Software Updates in Mountain Lion?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Software Updates in Mountain Lion?

  • Subject: Re: [Fed-Talk] Software Updates in Mountain Lion?
  • From: Jeffrey Walton <email@hidden>
  • Date: Thu, 27 Sep 2012 15:30:49 -0400
On Thu, Sep 27, 2012 at 11:15 AM, Silberberg, David
<email@hidden> wrote:
> We (1) rely on centralized software update to deploy patches/updates to our
> few OS X machines, and (2) cannot access the Apple store from inside our
> network.  In working with Mountain Lion, we have discovered that the
> software update function is configured to go to the Apple store, and we have
> not found a way to redirect it to our OS X update server.
>
> Has anyone either found the same thing, or figured out how to use an
> “internal provider” for updates?
It gets even worse.

Both "Software Update" UI and softwareupdate program use plain text
HTTP. It does not appear to be user configurable (I have not found it,
and I have been looking for some time). At minimum, I would expect the
organization's update server to use HTTPS by default.

If there is an HTTPS connection available, it probably suffers all the
customary infrastructure threats (when going outside the
organization). That is, the software is not leveraging the
"pre-existing relationship," so this can happen again within the
update process: "Hacker Bypasses Apple's iOS In-App Purchases,"
http://www.esecurityplanet.com/mobile-security/hacker-bypasses-apples-ios-in-app-purchases.html.
Rather than fixing StoreKit with a technical control such as
Certificate Pinning or Public Key Pinning, Apple sent their lawyers
out for take downs. Sigh....

The network code (both client and server) uses predictable TCP
sequence numbers. I did not think anyone was running with that feature
in their stack in 2012. You can confirm this with echo "GET / HTTP
1.1" | openssl s_client -connect swdownload.apple.com:443".

Apple servers are misconfigured and unpatched. Secure Renegotiation is
*not* supported, and MD5 is part of the client and server's preferred
cipher. You can confirm this with echo "GET / HTTP 1.1" | openssl
s_client -connect swdownload.apple.com:443".

Its a wonder Macs are used in the Federal arena when Apple can't
securely deliver updates (i.e., authenticity assurances). Anyone who
has been through the process knows Supply Chain is within an
organization's purview per SP 800-53A, SA-12.

Jeff

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: [Fed-Talk] Software Updates in Mountain Lion?
      • From: "Trouton, Rich R" <email@hidden>
References: 
 >[Fed-Talk] Software Updates in Mountain Lion? (From: "Silberberg, David" <email@hidden>)

  • Prev by Date: Re: [Fed-Talk] When did Fed-Talk turn into iPhone/iOS Chat Box
  • Next by Date: Re: [Fed-Talk] Software Updates in Mountain Lion?
  • Previous by thread: Re: [Fed-Talk] Software Updates in Mountain Lion?
  • Next by thread: Re: [Fed-Talk] Software Updates in Mountain Lion?
  • Index(es):
    • Date
    • Thread