8 Replies Latest reply: Jan 19, 2013 4:06 PM by jdbunda
jdbunda Level 1 Level 1 (0 points)

Am I the only one who sees this as a potential security risk?    I have been using computers my entire life, and I am still surprised by this, and I cannot believe it has not become a problem.

 

The issue is this - when installing software, you are prompted to enter your admin password before the app installer will run.    This seems fine when explicitly launching a .dmg file.

 

However, many applications will download a new version, then launch the installer themselves.    So we become used to the idea of, for example, an app launching a dialog that says "Software update available - do you want to install?", then if you click yes, it downloads/launches the installer of the new version.    (For example, I just had this happen with Adobe Flash, but I have experienced it with several apps I use).   So - the installer launches and a dialog pops up requesting that I enter my admin password.

 

So in this scenario, how does one tell the difference between a legitimate system prompt for the admin password, and a rogue app that is phishing for my root password?    It would be easy for an app developer to spoof this entire process - "do you want to install the new version?"  "please enter your admin password" and I claim it would be indistinguishable from a legit prompt for my password when launching a .dmg.

 

Moreover, the frequency of this operation somewhat desensitizes us to entering our root passwords whenever any semi-official dialog pops up requesting it.

 

This seems like a signficant security risk.


iMac (27-inch Mid 2011), Mac OS X (10.7.5)
  • Alberto Ravasio Level 4 Level 4 (3,370 points)

    If you got the application from the original developer site or the App Store it should be safe to enter your admin credential to install an update or a new program.

    If you don't trust them, don't install the program

  • MartinR Level 6 Level 6 (14,815 points)

    how does one tell the difference between a legitimate system prompt for the admin password, and a rogue app that is phishing for my root password? 

     

    You have to be diligent about what apps you trust to install in the first place, and also any updates that are offered.  My recommendation is NEVER allow an app to automatically update itself.  There is almost no reason to let any app update itself automatically.  You can always manually go to the app (developer) website and check if there is any update available, download it and run the update yourself.

     

    Also in case you were specifically asking about root passwords, this is something you should never enable.  An OS X admin account with a password is not the same as a root password. Root passwords have to be specifically enabled by you on your Mac (and I'm not going to reveal how to do it).  This is one of the safeguards in OS X that root passwords are by default not enabled.

  • Alberto Ravasio Level 4 Level 4 (3,370 points)

    MartinR wrote:

     

    Also in case you were specifically asking about root passwords, this is something you should never enable.  An OS X admin account with a password is not the same as a root password. Root passwords have to be specifically enabled by you on your Mac (and I'm not going to reveal how to do it).  This is one of the safeguards in OS X that root passwords are by default not enabled.

     

    I do not completely agree with the above statement.

    An admin user can escalate to root, even though you never set a password for root.

    As a matter of fact also a standard user may escalate to root with an admin user's credentials.

  • Radiation Mac Level 5 Level 5 (4,635 points)

    Well, just to explore your question a bit, it seems that the alternative then is to NOT require that the User enter their secret password in order to install new software Updates:  That way your password is still "safe", but you have freely allowed any malicious downloaded software to install itself since it no longer requires password access.  Do you see the problem and the dilema?  So in Mountain Lion, Apple addressed this problem by enabling the "sandboxing" of applications and their upgrades.  By default, if the downloaed App or Upgrade did NOT come from a "Verified by APPLE" Developer or Apple itself, it will NOT Install even WITH the Admin password.  Unless you override the process intenetionally.

     

    Ultimately, the safety of the password system relies on the application of intelligence and discetion and common sense by the the computer User.  There will always be 3rd party rogues spending their free time trying to outwit the software and security designers.

     

    For what its worth.

     

     

    Hope this helps

  • jdbunda Level 1 Level 1 (0 points)

    Thanks all for the replies.    I hate to say it, but I think windows gets this one right by making the pop up dialog do something that applications typically cannot do, that is dim the screen background, it is much more obviously a system event based on detected behavior, and not just an ordinary application dialog.   In fact, the OSX dialog usually has text that obviously comes from the app itself, and it is not something that the system has detected and wants you to allow or disallow.

     

    Obviously I can do as suggested and only install something from a trusted source (duh), but my claim is that most people won't do that, either out of laziness or failure to perceive risk, and that in itself is the risk.

     

    I just do not think training people to enter their ADMIN password to random pop up dialogs is good policy.  It should only be entered in response to an (obvious) system event/dialog.   Just my $.02.

  • jdbunda Level 1 Level 1 (0 points)

    I have to admit, I am a bit disappointed in these responses.    It is obvious that I can, to some degree, mitigate risk to my own machine by only installing applications from a so-called trusted source, that is the app store or the application vendor.    But can we be really sure that just because an app is curated by the Apple Store, or is downloaded from a developer website, that the app can be trusted?   

     

    It would be simple to hide code in an app that would be activated at some future date that would bring up a "new version available - download now?" and walk the user through a simulated (or even actual) update process that includes a capture of his admin password.   Some percentage of users might be sophisticated or suspicious and decline the update, but many would simply follow the by-now familar process, unwittingly compromising their machine.    Therefore, this creates a vector for attack of Apple systems.  Even if my machine is not compromised, if the community at large is subject to a widespread attack, this would be bad.

     

    One reason I am currently using an iMac is because it is not subject to the myriad attacks aimed at Windows machines, and I would prefer that things remain this way as long as possible.

     

    Note - I am not suggesting that the admin password should not be required, I am suggesting that an alternate mechanism be used for its solicitation, something that is an obvious system level prompt.    The intent is to prevent the community at large from becoming inured to entering their admin password to any ad hoc user-level dialog that claims it is necessary. 

  • MartinR Level 6 Level 6 (14,815 points)

    But can we be really sure that just because an app is curated by the Apple Store, or is downloaded from a developer website, that the app can be trusted?

     

    It could be argued that Apple OS X is one of the more secure operating systems to begin with.  But risks abound nonetheless.  I believe I am a whole lot safer on OS X than anyone ever was on Windows. 

     

    While you can never be absolutely sure about anything, there are levels of trust.  The Apple App Store is one such level of trust, and a good one at that, as approved apps have to meet Apple criteria before being allowed into the App Store.  I would certanly trust an Apple App Store app more than one sourced from other places including a developer's own website.  Sandboxing is another level of app security implemented by Apple.

     

    Sure, it would be "simple" for a developer to hide zero-day code in an app.  That's why you as a consumer have be alert enough do your own due diligence before downloading & installing anything.   But there are far too many people who have no regard for their own security and wantonly download & install just about anything.  You're smart enough not to do that, right?

     

    The intent is to prevent the community at large from becoming inured to entering their admin password to any ad hoc user-level dialog that claims it is necessary.

     

    No one, not even the most experienced sysadmin, should ever enter their admin password without knowing exactly why they are doing it, and the risks entailed.  No one, not even Apple, can protect you from yourself.  Ultimately, your system security is your own responsiblity, not someone else's to do for you.

  • jdbunda Level 1 Level 1 (0 points)

    Wow, I am stunned by the nonsensical logic of some of the replies in this thread.   I find it hard to believe that I am the only one who is seeing the risk here.   Is everyone here an Apple-can-do-no-wrong fanboy?    This is basic stuff.

     

    Yes, OS X is intrinsically more secure than Windows, for any number of reasons that are not worth going into here.   And of course the Apple Store is probably a pretty good line of defense.

     

    OF COURSE one should "be careful" when entering their admin password on ANY SYSTEM.   One of Apple's talking points is you don't have to be a sophisticated power user to use a Mac.   Let's just stipulate that anyone using this forum is probably smart enough to use care when entering their admin password and vetting whatever software they are looking to install.    But let us also stipulate that this is NOT the majority of users.

     

    I have two Macs now, and have installed many third party programs on my Mac, virtually none of them are available through the app store.    These are everything from tools and utilities (Parallels, a VNC client that works where Screen Sharing is broken) to music production tools (Pro Tools, EZ Drummer, etc.).    Many of these automatically download updates and prompt for installation.    Do I trust the providers of most of these tools?    I suppose, but other than them having professional-looking web sites, what is that trust based upon?   And there is no guarantee that I am not subject to the whim of a rogue employee developer, or even a hacked web site.

     

    To be sure, the core OS is intrinsically more secure than Windows.    But I consider this fundamental policy of the OS to be flawed by introducing this obvious vector for potential compromise.    We can argue about whether I am smart enough to not type my password when I shouldn't, but it is the community at large who is at risk.    If I am stupid and my system is compromised, the risk to yours just went up.     When you look at the clever tactics people have used to phish for say bank and emai passwords, and how many smart people have fallen for them, it only seems a matter of time before someone tries to exploit this flaw.    The last thing I want or need is to have to jump through a bunch of hoops to investigate whether an app (or version of an app) I might want to install is or isn't "trusted" when it pops up asking me for my admin password (again).

     

    This is simple:

     

    1. No application-level process should ever require a clear-text admin password.

    2. All prompts for admin password should be handled by inner-ring system level code, not user-level.

    3.  The dialog that prompts me for my password should be obviously visually distinct from a application-level dialog.

     

    OS X applications might actually be implementing the first two, but the user cannot tell during an application installation.   In other words, unless I also implement 3, I cannot be sure of 1 or 2.

     

    Not trying to stir up trouble, just pointing out an obvious flaw.