1 2 3 4 Previous Next 168 Replies Latest reply: Sep 8, 2013 9:10 AM by MadMacs0 Go to original post
  • 15. Re: crsud process with security update 2013-001
    ApMaX Level 1 Level 1 (5 points)

    Yes, I am on Mac OS X 10.6.8 as indicated on my previous post, above. I believe that "Automatically update safe downloads list" (I had that on June 2011) is equivalent to "Automatically install important security updates" (I have it now).

  • 16. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,205 points)

    You should have it in 10.6.8.

     

    Screen shot 2013-03-17 at 8.49.35 AM.png

  • 17. Re: crsud process with security update 2013-001
    Yeehat Level 1 Level 1 (40 points)

    WZZZ wrote:

     

    You should have it in 10.6.8.

     

    That's really strange... Here's my screenshot:snapshot.png

     

    My machine is a mid-2010 MBP 13". I didn't install this security update yet: it updates Security.prefPane from version 2.4 to 2.5. Are you sure you had this Automatically install important security updates thing before applying Security Update 2013-001?

  • 18. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,205 points)

    I'm beginning to think that, since it supposedly doesn't happen when Automatically install important security updates is unchecked in Security, that crsud connecting to swscan (Software Update) is looking in from time to time to see if there are any Security Updates for maybe new silent updating.  Although, if this is so, I'm not sure I'd be too trusting about something as huge as a Security Update being silently installed, especially since I've never seen a Security Update that didn't need a restart.

     

    This was what the Security pane used to look like pre-update. Note the change from "Safe Downloads," which would have meant Safari only, to Important Security Updates.

     

    Screen shot 2013-03-17 at 12.23.55 PM.png

    And, if you haven't already done so, uncheck "Open 'safe' files after downloading" in Safari Preferences. Whether or not Apple keeps this list updated or not, this is an enormous security risk.

  • 19. Re: crsud process with security update 2013-001
    Yeehat Level 1 Level 1 (40 points)

    WZZZ wrote:

     

    I'm beginning to think that, since it supposedly doesn't happen when Automatically install important security updates is unchecked in Security, that crsud connecting to swscan (Software Update) is looking in from time to time to see if there are any Security Updates for maybe new silent updating.  Although, if this is so, I'm not sure I'd be too trusting about something as huge as a Security Update being silently installed, especially since I've never seen a Security Update that didn't need a restart.

     

    I think your guess is correct and I too don't like silent (to say the least) updates. Even though someone calls this "paranoia"    BTW, what should important mean?

     

    And, if you haven't already done so, uncheck "Open 'safe' files after downloading" in Safari Preferences. Whether or not Apple keeps this list updated or not, this is an enormous security risk.

     

    Thanks, I had already done; I had just forgotten to uncheck Automatically update safe downloads list too.

  • 20. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,205 points)

    What I said is only a guess and quite tentative.

  • 21. Re: crsud process with security update 2013-001
    andyBall_uk Level 7 Level 7 (20,310 points)

    >>What I said is only a guess and quite tentative.

     

    but a good one - especially given the strings suggesting that it looks for the sucatalog, runs only if xprotect is active;  as well as other details.

    If you find out what Codeginger is... (careful/cautious, since we're speculating )

  • 22. Re: crsud process with security update 2013-001
    andyBall_uk Level 7 Level 7 (20,310 points)

    although looking at your screenshot above - it seems to check the validity/content of packages already downloaded; either its main purpose, or additionally.

  • 23. Re: crsud process with security update 2013-001
    MadMacs0 Level 4 Level 4 (3,720 points)

    WZZZ wrote:

     

    This was what the Security pane used to look like pre-update. Note the change from "Safe Downloads," which would have meant Safari only, to Important Security Updates.

    I think you may be confusing "Safe downloads list" with Google's "Safe browsing" which is Safari only. The Safe dowloads list is for XProtect updates. Recall that toggling the check box is the safe way to force an update. I wonder if that represents a change in the way XProtect is controlled now, i.e. perhaps it cannot be disabled any longer.

     

    Message was edited by: MadMacs0    After further review, I see that the Safe downloads list option has been moved according to About file quarantine in OS X at the bottom when you click on "Advanced Users Only." Except that I don't see an Advanced button on your screenshot, even though this says it applies to 10.6.8.

  • 24. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,205 points)

    I wasn't confusing that with Google Safe Browsing, but yes I was getting that wrong. Completely forgot that was related to XProtect; was mistakenly thinking  it was for updating Safari's list of "safe" downloads, which it never was. If that list exists, it may live in the CoreTypes safe file type list for ML and Lion. But I'm not seeing that in Snow anywhere, not at least in CoreTypes.

     

    And in 10.6.8 I don't have a Security & Privacy pane, and no Advanced there either. Just what my screenshot shows, but now changed to Automatically install important security updates.

     

     

     

     

    (This is why I was thinking Safari Safe Downloads, but I realize CoreTypes safe file type list might be something else entirely. From the latest About the security content....)

     

    CoreTypes

     

    Available for: OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

     

    Impact: Visiting a maliciously crafted website could allow a Java Web Start application to be launched automatically even if the Java plug-in is disabled

     

    Description: Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory.

    http://support.apple.com/kb/HT5672

  • 25. Re: crsud process with security update 2013-001
    MadMacs0 Level 4 Level 4 (3,720 points)

    WZZZ wrote:

     

    I wasn't confusing that with Google Safe Browsing, but yes I was getting that wrong. Completely forgot that was related to XProtect; was mistakenly thinking  it was for updating Safari's list of "safe" downloads, which it never was. If that list exists, it may live in the CoreTypes safe file type list for ML and Lion. But I'm not seeing that in Snow anywhere, not at least in CoreTypes.

     

    And in 10.6.8 I don't have a Security & Privacy pane, and no Advanced there either. Just what my screenshot shows, but now changed to Automatically install important security updates.

    Yes, well one thing is abundantly clear is that Apple has made some significant changes to security with this latest update, at least to Lion and above, and not fully documented them all. I guess we'll just have to continue to speculate and learn over time exactly what's going on here.

     

    Although OT here, I do wonder what happened to the XProtect update system.

     

    And like Yeehat, what constitutes "important security updates"?

  • 26. Re: crsud process with security update 2013-001
    ds store Level 7 Level 7 (30,305 points)

    MadMacs0 wrote:

     

    Although OT here, I do wonder what happened to the XProtect update system.

     

    And like Yeehat, what constitutes "important security updates"?

     

    I'm very happy Apple paid attention to 10.6 and issued a Safari 5.1.8 update also.

     

    This anti-malware scanner came up clean on my machine. Nothing to report.

     

    I will of course still recommend and use ClamXav.

     

     

    BTW ClamXav finds W32.Perelett.15399 on my Win 7 VM (Fusion) occassionally .

     

    By using Little Snitch, I blocked Windows from making anything outbound, used a pristine snapshot, then only allowed time.windows.com and connection to Adobe's Akamai server I assume it's for Flash.

     

    I ran a scan and got the malware. Microsoft Security Essentials, ClamWin, MalwareBytes didn't pick it up.

     

    This has been going on for a few times now, I just roll back the snapshot and it's gone, allow the older one to connect online and it's there again.

     

    Also the Cs2 download, once installed in Win 7, ClamWin picks up Ramnit.

     

     

    So Adobe is hosting malware.

  • 27. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,205 points)

    One more time. What makes you think crsud is a malware scanner?

     

    From my logs:

     

    Screen shot 2013-03-17 at 9.47.53 PM.png

     

     

     

    andyBall_uk wrote: although looking at your screenshot above - it seems to check the validity/content of packages already downloaded; either its main purpose, or additionally.

     

    Message was edited by: WZZZ

  • 28. Re: crsud process with security update 2013-001
    ds store Level 7 Level 7 (30,305 points)

    WZZZ wrote:

     

    What makes you think crsud is a malware scanner?

     

    Because Apple changed "Safe files" in System Preferences and they said they did install a anti-malware scanner.

     

    So instead of Xprotect just stopping trojans, it's now looking for known malware and checking for updates for that with a new process on 10.6.

     

     

    It only reports if it finds something, so until someone comes here with a infection or purposely infects their machine to see what it does, we don't know how it will react until then.

  • 29. Re: crsud process with security update 2013-001
    WZZZ Level 6 Level 6 (12,205 points)

    and they said they did install a anti-malware scanner.

    No, AFAIK that was just a one time scan that came when running the security update. At least that's all we have to go on right now. Until we hear more, I think you're jumping to conclusions. Believe me, I would hope you're right, but you really have no support for that.

     

    Malware removal

     

    Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5, OS X Mountain Lion v10.8 to v10.8.2

     

    Description: This update runs a malware removal tool that will remove the most common variants of malware. If malware is found, it presents a dialog notifying the user that malware was removed. There is no indication to the user if malware is not found

    http://support.apple.com/kb/HT5672

1 2 3 4 Previous Next