1 2 3 Previous Next 168 Replies Latest reply: Sep 8, 2013 9:10 AM by MadMacs0
SaltySailor Level 1 Level 1 (0 points)

I just installed the new security update, 2013-001, and Little Snitch detected a new process at startup, crsud, which wants to connect to Apple.

 

I would like to know what this does. My guess is that it checks for updates, perhaps to some security software. Anyone know?

 

It seems to me that when such a process is added, it is appropriate for Apple to explain itself in the update description, but I am old-fashioned about such things.

 

Greg


MBP 17" 2.33GHz, Mac OS X (10.5.1)
  • 1. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,225 points)

    Doesn't look like Apple is saying anything about it...yet. I will just deny until I know what it's for.

  • 2. Re: crsud process with security update 2013-001
    ds store Level 7 Level 7 (30,305 points)

    Yes, it connects to certain Apple servers hosed on Akamai host servers that contain Apple updates in the past.

     

    I suspect it's checking for updates for the malware removal that was installed with the latest update.

     

     

    • Malware removal

      Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

      Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found.

     

    https://support.apple.com/kb/HT5672

  • 3. Re: crsud process with security update 2013-001
    MadMacs0 Level 4 Level 4 (3,735 points)

    Most of thosee of us here can only speculate on what it does and those that might know aren't allowed to post an answer. If you are interested in getting some guesses, it would help to know a bit more about your situation.

     

    Obviously you aren't running OS X 10.5.1 as your profile would indicate, so are you using Snow Leopard or Lion?

     

    Did you install the Safari update at the same time? If so, then it might be a Sarari process.

     

    How often does it try to connect to Apple?

     

    What is the path to crsud? If you double-click on the Little Snitch rule it will show it right below the process name box. Or you should be able to find it using EasyFind, Find Any File or the Terminal app's locate command.

  • 4. Re: crsud process with security update 2013-001
    Derek Currie Level 1 Level 1 (90 points)

    I found a similar concern over at a German 'MacUser' thread. Here is what I have figured out so far:

     

    - crsud is an new UNIX executable installed ONLY with Apple Security Update 2013-001. It is NOT installed into OS X 10.8.3. It doesn't exist in 10.8.3.

     

    - In updated 10.6.8 and 10.7.5 it is located at:

    /usr/libexec/crsud

     

    - It is dated December 12, 2012.

     

    - The headers for the executable indicate a dependancy on Apple's security system, both Security.framework and SecurityFoundation.framework.

     

    - The footer for the executable apparently includes an Apple security certificate.

     

    That's all so far. I've asked some friends in Mac security for any further information they may have found.

     

    :-Derek

  • 5. Re: crsud process with security update 2013-001
    SaltySailor Level 1 Level 1 (0 points)

    Thanks all, esp Derek. It seems like it is something to allow permanent access. Still wish Apple would explain themselves, as a lot of us do take ownership of our computers and watch what is happening.

     

    I didn't realize my profile had the old OS - now fixed. Still, this thread is in the Snow Leopard community...

     

    Greg

  • 6. Re: crsud process with security update 2013-001
    Derek Currie Level 1 Level 1 (90 points)

    A couple Mac security friends chimed in and suggest the following:

    Startingcom.apple.softwareupdate.crsucrsud- Has to do with code signing and software update and trust evaluation in Lion. Mountain lion handles it different.

    . . .
    Code Signing and Software Update was exactly my guess after browsing through the executable’s text content. I was just trying to figure out which part of the update documentation applies, but that doesn’t seem to help.
  • 7. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,225 points)

    Decided to allow. crsud connected on ports 443 and 80 and then curl wanted to connect????

  • 8. Re: crsud process with security update 2013-001
    MadMacs0 Level 4 Level 4 (3,735 points)

    WZZZ wrote:

     

    curl wanted to connect????

    curl is a common process for transferring data with URL syntax. I see it used by a number of routines with my setup and it has been permanently approved with port 80 for a very long time.

  • 9. Re: crsud process with security update 2013-001
    ApMaX Level 1 Level 1 (5 points)

    Same here on Mac OS X 10.6.8 after cold booting or rebooting:

     

    Connection attempts during login

    crsud

    /usr/libexec/crsud

    Outgoing connections to domain apple.com

  • 10. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,225 points)

    Screen shot 2013-03-16 at 8.57.36 AM.png

    Thanks. This was the first time I've seen it.

     

    Not found in system.log, but in All Messages, so can't paste it in. This is what I got when I allowed crsud to run last night. But no mention of curl anywhere in the logs.

     

    Screen shot 2013-03-16 at 9.03.13 AM.png

  • 11. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,225 points)

    Next question awaiting some possible answer is what kind of data does curl send back to Apple here after crsud runs?

  • 12. Re: crsud process with security update 2013-001
    ds store Level 7 Level 7 (30,305 points)

    WZZZ wrote:

     

    Next question awaiting some possible answer is what kind of data does curl send back to Apple here after crsud runs?

     

    Likley your iPhone location data

     

    https://www.apple.com/pr/library/2011/04/27Apple-Q-A-on-Location-Data.html

     

     

    If Apple wanted to spy, a simple EFI update and one wouldn't know diddly squat.

     

    In fact I saw  network traffic occuring over my Wifi while EFI was booting, so I know something is going on behind the scenes already.

  • 13. Re: crsud process with security update 2013-001
    ApMaX Level 1 Level 1 (5 points)

    I have found that the Little Snitch crsud (/usr/libexec/crsud) warning message about  connection attempts during login (outgoing connections to domain apple.com) goes away if

     

    Apple - System Preferences - Security - General - Automatically install important security updates

     

    is unchecked (turned OFF).

  • 14. Re: crsud process with security update 2013-001
    Yeehat Level 1 Level 1 (40 points)

    ApMaX wrote:

     

    I have found that the Little Snitch crsud (/usr/libexec/crsud) warning message about  connection attempts during login (outgoing connections to domain apple.com) goes away if

     

    Apple - System Preferences - Security - General - Automatically install important security updates

     

    is unchecked (turned OFF).

     

    Are you on 10.6.8? I don't have this option. The only sort of similar one is Automatically update safe downloads list (and I suppose this one may pertain to crsud and curl).

1 2 3 Previous Next