Skip navigation

crsud process with security update 2013-001

36962 Views 168 Replies Latest reply: Sep 8, 2013 9:10 AM by MadMacs0 RSS
1 2 3 ... 12 Previous Next
SaltySailor Calculating status...
Currently Being Moderated
Mar 15, 2013 2:08 PM

I just installed the new security update, 2013-001, and Little Snitch detected a new process at startup, crsud, which wants to connect to Apple.

 

I would like to know what this does. My guess is that it checks for updates, perhaps to some security software. Anyone know?

 

It seems to me that when such a process is added, it is appropriate for Apple to explain itself in the update description, but I am old-fashioned about such things.

 

Greg

MBP 17" 2.33GHz, Mac OS X (10.5.1)
  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Mar 15, 2013 2:44 PM (in response to SaltySailor)

    Doesn't look like Apple is saying anything about it...yet. I will just deny until I know what it's for.

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Mar 15, 2013 6:12 PM (in response to SaltySailor)

    Yes, it connects to certain Apple servers hosed on Akamai host servers that contain Apple updates in the past.

     

    I suspect it's checking for updates for the malware removal that was installed with the latest update.

     

     

    • Malware removal

      Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

      Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.

     

    https://support.apple.com/kb/HT5672

  • MadMacs0 Level 4 Level 4 (3,350 points)
    Currently Being Moderated
    Mar 15, 2013 6:18 PM (in response to SaltySailor)

    Most of thosee of us here can only speculate on what it does and those that might know aren't allowed to post an answer. If you are interested in getting some guesses, it would help to know a bit more about your situation.

     

    Obviously you aren't running OS X 10.5.1 as your profile would indicate, so are you using Snow Leopard or Lion?

     

    Did you install the Safari update at the same time? If so, then it might be a Sarari process.

     

    How often does it try to connect to Apple?

     

    What is the path to crsud? If you double-click on the Little Snitch rule it will show it right below the process name box. Or you should be able to find it using EasyFind, Find Any File or the Terminal app's locate command.

  • Derek Currie Calculating status...
    Currently Being Moderated
    Mar 15, 2013 6:18 PM (in response to SaltySailor)

    I found a similar concern over at a German 'MacUser' thread. Here is what I have figured out so far:

     

    - crsud is an new UNIX executable installed ONLY with Apple Security Update 2013-001. It is NOT installed into OS X 10.8.3. It doesn't exist in 10.8.3.

     

    - In updated 10.6.8 and 10.7.5 it is located at:

    /usr/libexec/crsud

     

    - It is dated December 12, 2012.

     

    - The headers for the executable indicate a dependancy on Apple's security system, both Security.framework and SecurityFoundation.framework.

     

    - The footer for the executable apparently includes an Apple security certificate.

     

    That's all so far. I've asked some friends in Mac security for any further information they may have found.

     

    :-Derek

  • Derek Currie Level 1 Level 1 (90 points)
    Currently Being Moderated
    Mar 15, 2013 7:12 PM (in response to Derek Currie)

    A couple Mac security friends chimed in and suggest the following:

    Startingcom.apple.softwareupdate.crsucrsud- Has to do with code signing and software update and trust evaluation in Lion. Mountain lion handles it different.

    . . .
    Code Signing and Software Update was exactly my guess after browsing through the executable’s text content. I was just trying to figure out which part of the update documentation applies, but that doesn’t seem to help.
  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Mar 15, 2013 8:34 PM (in response to WZZZ)

    Decided to allow. crsud connected on ports 443 and 80 and then curl wanted to connect????

  • MadMacs0 Level 4 Level 4 (3,350 points)
    Currently Being Moderated
    Mar 15, 2013 8:56 PM (in response to WZZZ)

    WZZZ wrote:

     

    curl wanted to connect????

    curl is a common process for transferring data with URL syntax. I see it used by a number of routines with my setup and it has been permanently approved with port 80 for a very long time.

  • ApMaX Level 1 Level 1 (5 points)
    Currently Being Moderated
    Mar 16, 2013 3:19 AM (in response to SaltySailor)

    Same here on Mac OS X 10.6.8 after cold booting or rebooting:

     

    Connection attempts during login

    crsud

    /usr/libexec/crsud

    Outgoing connections to domain apple.com

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Mar 16, 2013 6:05 AM (in response to MadMacs0)

    Screen shot 2013-03-16 at 8.57.36 AM.png

    Thanks. This was the first time I've seen it.

     

    Not found in system.log, but in All Messages, so can't paste it in. This is what I got when I allowed crsud to run last night. But no mention of curl anywhere in the logs.

     

    Screen shot 2013-03-16 at 9.03.13 AM.png

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Mar 16, 2013 6:34 AM (in response to WZZZ)

    Next question awaiting some possible answer is what kind of data does curl send back to Apple here after crsud runs?

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Mar 16, 2013 8:36 AM (in response to WZZZ)

    WZZZ wrote:

     

    Next question awaiting some possible answer is what kind of data does curl send back to Apple here after crsud runs?

     

    Likley your iPhone location data

     

    https://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html

     

     

    If Apple wanted to spy, a simple EFI update and one wouldn't know diddly squat.

     

    In fact I saw  network traffic occuring over my Wifi while EFI was booting, so I know something is going on behind the scenes already.

  • ApMaX Level 1 Level 1 (5 points)
    Currently Being Moderated
    Mar 17, 2013 1:55 AM (in response to SaltySailor)

    I have found that the Little Snitch crsud (/usr/libexec/crsud) warning message about  connection attempts during login (outgoing connections to domain apple.com) goes away if

     

    Apple - System Preferences - Security - General - Automatically install important security updates

     

    is unchecked (turned OFF).

  • Yeehat Calculating status...
    Currently Being Moderated
    Mar 17, 2013 5:22 AM (in response to ApMaX)

    ApMaX wrote:

     

    I have found that the Little Snitch crsud (/usr/libexec/crsud) warning message about  connection attempts during login (outgoing connections to domain apple.com) goes away if

     

    Apple - System Preferences - Security - General - Automatically install important security updates

     

    is unchecked (turned OFF).

     

    Are you on 10.6.8? I don't have this option. The only sort of similar one is Automatically update safe downloads list (and I suppose this one may pertain to crsud and curl).

1 2 3 ... 12 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.