Re: [Fed-Talk] Software Updates in Mountain Lion?
Re: [Fed-Talk] Software Updates in Mountain Lion?
- Subject: Re: [Fed-Talk] Software Updates in Mountain Lion?
- From: "Trouton, Rich R" <email@hidden>
- Date: Thu, 27 Sep 2012 19:49:25 +0000
- Thread-topic: [Fed-Talk] Software Updates in Mountain Lion?
On Sep 27, 2012, at 3:30 PM, Jeffrey Walton wrote:
> On Thu, Sep 27, 2012 at 11:15 AM, Silberberg, David
> <email@hidden> wrote:
>> We (1) rely on centralized software update to deploy patches/updates to our
>> few OS X machines, and (2) cannot access the Apple store from inside our
>> network. In working with Mountain Lion, we have discovered that the
>> software update function is configured to go to the Apple store, and we have
>> not found a way to redirect it to our OS X update server.
>>
>> Has anyone either found the same thing, or figured out how to use an
>> “internal provider” for updates?
> It gets even worse.
>
> Both "Software Update" UI and softwareupdate program use plain text
> HTTP. It does not appear to be user configurable (I have not found it,
> and I have been looking for some time). At minimum, I would expect the
> organization's update server to use HTTPS by default.
Mountain Lion checks via HTTPS:
http://managingosx.wordpress.com/2012/08/02/mountain-lion-and-software-update/
You can redirect to an internal software update server (either using Mountain Lion Server or the open source Reposado) by setting the correct address in /Library/Preferences/com.apple.SoftwareUpdate.plist.
You can set this with managed preferences or a defaults command. The defaults command should be:
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL https://server.name.here
Thanks,
Rich
>
> If there is an HTTPS connection available, it probably suffers all the
> customary infrastructure threats (when going outside the
> organization). That is, the software is not leveraging the
> "pre-existing relationship," so this can happen again within the
> update process: "Hacker Bypasses Apple's iOS In-App Purchases,"
> http://www.esecurityplanet.com/mobile-security/hacker-bypasses-apples-ios-in-app-purchases.html.
> Rather than fixing StoreKit with a technical control such as
> Certificate Pinning or Public Key Pinning, Apple sent their lawyers
> out for take downs. Sigh....
>
> The network code (both client and server) uses predictable TCP
> sequence numbers. I did not think anyone was running with that feature
> in their stack in 2012. You can confirm this with echo "GET / HTTP
> 1.1" | openssl s_client -connect swdownload.apple.com:443".
>
> Apple servers are misconfigured and unpatched. Secure Renegotiation is
> *not* supported, and MD5 is part of the client and server's preferred
> cipher. You can confirm this with echo "GET / HTTP 1.1" | openssl
> s_client -connect swdownload.apple.com:443".
>
> Its a wonder Macs are used in the Federal arena when Apple can't
> securely deliver updates (i.e., authenticity assurances). Anyone who
> has been through the process knows Supply Chain is within an
> organization's purview per SP 800-53A, SA-12.
>
> Jeff
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
---
Rich Trouton
email@hidden
JFRC Help Desk
phone: x4030
email: email@hidden
The best way to get in touch with me is through email.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden