entering password to install software - security exposure?

Question

Level 1

1 points

entering password to install software - security exposure?

Am I the only one who sees this as a potential security risk? I have been using computers my entire life, and I am still surprised by this, and I cannot believe it has not become a problem.

The issue is this - when installing software, you are prompted to enter your admin password before the app installer will run. This seems fine when explicitly launching a .dmg file.

However, many applications will download a new version, then launch the installer themselves. So we become used to the idea of, for example, an app launching a dialog that says "Software update available - do you want to install?", then if you click yes, it downloads/launches the installer of the new version. (For example, I just had this happen with Adobe Flash, but I have experienced it with several apps I use). So - the installer launches and a dialog pops up requesting that I enter my admin password.

So in this scenario, how does one tell the difference between a legitimate system prompt for the admin password, and a rogue app that is phishing for my root password? It would be easy for an app developer to spoof this entire process - "do you want to install the new version?" "please enter your admin password" and I claim it would be indistinguishable from a legit prompt for my password when launching a .dmg.

Moreover, the frequency of this operation somewhat desensitizes us to entering our root passwords whenever any semi-official dialog pops up requesting it.

This seems like a signficant security risk.

iMac (27-inch Mid 2011), Mac OS X (10.7.5)

Posted on Nov 10, 2012 8:21 AM

Reply

Answer 1

Nov 10, 2012 8:35 AM in response to jdbunda

If you got the application from the original developer site or the App Store it should be safe to enter your admin credential to install an update or a new program.

If you don't trust them, don't install the program 😉

Reply

Answer 2

MartinR

Level 6

19,273 points

Nov 10, 2012 3:22 PM in response to jdbunda

how does one tell the difference between a legitimate system prompt for the admin password, and a rogue app that is phishing for my root password?

You have to be diligent about what apps you trust to install in the first place, and also any updates that are offered. My recommendation is NEVER allow an app to automatically update itself. There is almost no reason to let any app update itself automatically. You can always manually go to the app (developer) website and check if there is any update available, download it and run the update yourself.

Also in case you were specifically asking about root passwords, this is something you should never enable. An OS X admin account with a password is not the same as a root password. Root passwords have to be specifically enabled by you on your Mac (and I'm not going to reveal how to do it). This is one of the safeguards in OS X that root passwords are by default not enabled.

Reply

Answer 3

Nov 11, 2012 2:24 AM in response to MartinR

MartinR wrote:

Also in case you were specifically asking about root passwords, this is something you should never enable. An OS X admin account with a password is not the same as a root password. Root passwords have to be specifically enabled by you on your Mac (and I'm not going to reveal how to do it). This is one of the safeguards in OS X that root passwords are by default not enabled.

I do not completely agree with the above statement.

An admin user can escalate to root, even though you never set a password for root.

As a matter of fact also a standard user may escalate to root with an admin user's credentials.

Reply

Answer 4

Nov 11, 2012 4:34 AM in response to Alberto Ravasio

Well, just to explore your question a bit, it seems that the alternative then is to NOT require that the User enter their secret password in order to install new software Updates: That way your password is still "safe", but you have freely allowed any malicious downloaded software to install itself since it no longer requires password access. Do you see the problem and the dilema? So in Mountain Lion, Apple addressed this problem by enabling the "sandboxing" of applications and their upgrades. By default, if the downloaed App or Upgrade did NOT come from a "Verified by APPLE" Developer or Apple itself, it will NOT Install even WITH the Admin password. Unless you override the process intenetionally.

Ultimately, the safety of the password system relies on the application of intelligence and discetion and common sense by the the computer User. There will always be 3rd party rogues spending their free time trying to outwit the software and security designers.

For what its worth.

Hope this helps 🙂

Reply

Answer 5

jdbunda Author

Level 1

1 points

Nov 11, 2012 6:38 AM in response to Radiation Mac

Thanks all for the replies. I hate to say it, but I think windows gets this one right by making the pop up dialog do something that applications typically cannot do, that is dim the screen background, it is much more obviously a system event based on detected behavior, and not just an ordinary application dialog. In fact, the OSX dialog usually has text that obviously comes from the app itself, and it is not something that the system has detected and wants you to allow or disallow.

Obviously I can do as suggested and only install something from a trusted source (duh), but my claim is that most people won't do that, either out of laziness or failure to perceive risk, and that in itself is the risk.

I just do not think training people to enter their ADMIN password to random pop up dialogs is good policy. It should only be entered in response to an (obvious) system event/dialog. Just my $.02.

Reply

Answer 6

jdbunda Author

Level 1

1 points

Jan 18, 2013 3:13 PM in response to jdbunda

I have to admit, I am a bit disappointed in these responses. It is obvious that I can, to some degree, mitigate risk to my own machine by only installing applications from a so-called trusted source, that is the app store or the application vendor. But can we be really sure that just because an app is curated by the Apple Store, or is downloaded from a developer website, that the app can be trusted?

It would be simple to hide code in an app that would be activated at some future date that would bring up a "new version available - download now?" and walk the user through a simulated (or even actual) update process that includes a capture of his admin password. Some percentage of users might be sophisticated or suspicious and decline the update, but many would simply follow the by-now familar process, unwittingly compromising their machine. Therefore, this creates a vector for attack of Apple systems. Even if my machine is not compromised, if the community at large is subject to a widespread attack, this would be bad.

One reason I am currently using an iMac is because it is not subject to the myriad attacks aimed at Windows machines, and I would prefer that things remain this way as long as possible.

Note - I am not suggesting that the admin password should not be required, I am suggesting that an alternate mechanism be used for its solicitation, something that is an obvious system level prompt. The intent is to prevent the community at large from becoming inured to entering their admin password to any ad hoc user-level dialog that claims it is necessary.

Reply

Answer 7

MartinR

Level 6

19,273 points

Jan 18, 2013 9:21 PM in response to jdbunda

But can we be really sure that just because an app is curated by the Apple Store, or is downloaded from a developer website, that the app can be trusted?

It could be argued that Apple OS X is one of the more secure operating systems to begin with. But risks abound nonetheless. I believe I am a whole lot safer on OS X than anyone ever was on Windows.

While you can never be absolutely sure about anything, there are levels of trust. The Apple App Store is one such level of trust, and a good one at that, as approved apps have to meet Apple criteria before being allowed into the App Store. I would certanly trust an Apple App Store app more than one sourced from other places including a developer's own website. Sandboxing is another level of app security implemented by Apple.

Sure, it would be "simple" for a developer to hide zero-day code in an app. That's why you as a consumer have be alert enough do your own due diligence before downloading & installing anything. But there are far too many people who have no regard for their own security and wantonly download & install just about anything. You're smart enough not to do that, right?

The intent is to prevent the community at large from becoming inured to entering their admin password to any ad hoc user-level dialog that claims it is necessary.

No one, not even the most experienced sysadmin, should ever enter their admin password without knowing exactly why they are doing it, and the risks entailed. No one, not even Apple, can protect you from yourself. Ultimately, your system security is your own responsiblity, not someone else's to do for you.

Reply

Answer 8

jdbunda Author

Level 1

1 points

Jan 19, 2013 4:06 PM in response to MartinR

Wow, I am stunned by the nonsensical logic of some of the replies in this thread. I find it hard to believe that I am the only one who is seeing the risk here. Is everyone here an Apple-can-do-no-wrong fanboy? This is basic stuff.

Yes, OS X is intrinsically more secure than Windows, for any number of reasons that are not worth going into here. And of course the Apple Store is probably a pretty good line of defense.

OF COURSE one should "be careful" when entering their admin password on ANY SYSTEM. One of Apple's talking points is you don't have to be a sophisticated power user to use a Mac. Let's just stipulate that anyone using this forum is probably smart enough to use care when entering their admin password and vetting whatever software they are looking to install. But let us also stipulate that this is NOT the majority of users.

I have two Macs now, and have installed many third party programs on my Mac, virtually none of them are available through the app store. These are everything from tools and utilities (Parallels, a VNC client that works where Screen Sharing is broken) to music production tools (Pro Tools, EZ Drummer, etc.). Many of these automatically download updates and prompt for installation. Do I trust the providers of most of these tools? I suppose, but other than them having professional-looking web sites, what is that trust based upon? And there is no guarantee that I am not subject to the whim of a rogue employee developer, or even a hacked web site.

To be sure, the core OS is intrinsically more secure than Windows. But I consider this fundamental policy of the OS to be flawed by introducing this obvious vector for potential compromise. We can argue about whether I am smart enough to not type my password when I shouldn't, but it is the community at large who is at risk. If I am stupid and my system is compromised, the risk to yours just went up. When you look at the clever tactics people have used to phish for say bank and emai passwords, and how many smart people have fallen for them, it only seems a matter of time before someone tries to exploit this flaw. The last thing I want or need is to have to jump through a bunch of hoops to investigate whether an app (or version of an app) I might want to install is or isn't "trusted" when it pops up asking me for my admin password (again).

This is simple:

1. No application-level process should ever require a clear-text admin password.

2. All prompts for admin password should be handled by inner-ring system level code, not user-level.

3. The dialog that prompts me for my password should be obviously visually distinct from a application-level dialog.

OS X applications might actually be implementing the first two, but the user cannot tell during an application installation. In other words, unless I also implement 3, I cannot be sure of 1 or 2.

Not trying to stir up trouble, just pointing out an obvious flaw.

Reply

Answer 9

plasma_g

Level 1

4 points

Jan 20, 2016 9:58 PM in response to jdbunda

I agree, it is surprising that the possibility of spoofing a password dialog on a Mac is not more widely recognized as a security risk, and I'm surprised by some of the responses here and on other web pages that don't understand the issues. The problem is described in a few places on the internet, such as at https://www.reddit.com/r/apple/comments/2k9bgl/when_os_x_prompts_for_an_administ rator_login_say/ where it begins with "When OS X prompts for an administrator login (say to install an app) how do you know it's not the application spoofing it to steal your password?" In the "Spoofed Dialogs" section of https://en.wikipedia.org/wiki/Comparison_of_privilege_authorization_features, it says "Another security consideration is the ability of malicious software to spoof dialogs that look like legitimate security confirmation requests. If the user were to input credentials [a password] into a fake dialog, ... the malicious software would then know the user's password."

Until this is fixed in Mac OS X at a more fundamental level, what I try to do is the following. Some software tries to do auto updates (for example, Adobe Flash, Adobe Reader, Nomachine), and prompts you for a password to do the installation of the new version. When possible, I will instead go to the original web site for that software and directly download the latest version. Sometimes that will have a .pkg package for the installation. Then I can right-click on the .pkg file, select "Open With Installer.app", and follow the installation process. Then I can be certain that the dialog box that is asking me to type in a password is really coming from the Mac's default Installer.app, and not some 3rd party developer's application that could steal the password.

There seem to me to be two types of fixes. One is for developers and the other would require implementation inside of Mac OS X by Apple. For developers, it seems to me that installation of most programs should not require typing in a password. OS X is supposed to do sandboxing of most applications, so they have limited access to important system files and perhaps even to user files, so why type a user password to install them? I think that Firefox and Thunderbird don't require typing a password, one simply drags the app into the Application Folder. This doesn't work for all kinds of apps (such as installing system services and placing files elsewhere on the system, according to http://www.howtogeek.com/177619/how-to-install-applications-on-a-mac-everything- you-need-to-know/), so in those cases it needs to use the Apple Installer.app and it will request a password to elevate to higher privileges. (It would also help if the Installer told the user what privileges were being requested.)

A deeper fix to avoid spoofing of a password dialog box was suggested by bICEmeister at the reddit.com link above, and would require implementation by Apple inside of Mac OS X:

"Putting in a system-wide user-defined phrase that is only readable by the OS level process and using that in the dialog would help verify the source. That's how securecard payments work on my debit/credit cards. Wherever and whenever I make purchases online, where it's supported I'm redirected to a page or I frame where the bank asks me to verify with my password, while showing it knows my "secret" phrase that only the bank has access to.

It's actually a quite elegant and simple solution to establish trust in that sense, and I think apple could make it even more so."

Reply