crsud process with security update 2013-001

ds store wrote:

Because Apple ... said they did install a anti-malware scanner.

But they have been saying that since MacDefender days and from the looks of the installer, it still has the same MRT elements that have always been there. It certainly sounds like the same thing that has been distributed with every Security and Java update over the past year that runs once and then deletes itself.

crsud looks at

https://swscan.apple.com/content/catalogs/others/index-cr-lion-1.sucatalog.gz

(change lion for snowleopard)

and finds details of any 'critical' updates… for now, just a SecUpdBase2013-001Test.pkg

these are then downloaded & installed - in the case of this 'test' package, installing an invisible 2 byte payload at /var/.emptypayload

the test package also contains a post-install action, which looks at

https://swscan.apple.com/content/catalogs/others/index-mountainlionseed-1.sucatalog.gz

and searches for a particular 'part number' , downloading it if found… The one looked for by the test package does not exist currently.

So -looking at WZZZ's screenshot earlier - he's already had that test update silently installed - as did I, on first boot to Lion following the 2013-0001 update

as might be expected - the .pkm file for the update contains a section

content-type="critical-update"

in addition to all the usual stuff - so it would be possible to have a single Software Update catalog URL, although that's not currently the case from what I've seen.

That's really impressive Andy. I wouldn't know how to begin to get in and find all that stuff and then examine it. Way above my pay grade. That's great information. Thanks. (Sometime, when you have nothing better to do, I'd love to know how you did that.)

This is interesting:

/private/var/.emptypayload

2 bytes with a created and modified of 5/29/12

I wonder how that arrived, since it pre-dates this current update by many months.

Message was edited by: WZZZ

>>/private/var/.emptypayload

>>2 bytes with a created and modified of 5/29/12

>>I wonder how that arrived, since it pre-dates this current update by many months.

my check was in Lion, which apparently changed the modified date to last night, although the creation date is also May 2012 - either Snow does something slightly different (the test package from cr-snowleopard is the same one) or some other difference between the way it ran on our two systems.

It was there on your pre-update backup ? likely not, just un-modified during/after install.

Yep, not there on pre-update clone.

FWIW, not seeing /var/.emptypayload in my SL or ML boot volumes, both with the latest updates installed. Strange stuff here.

>Sometime, when you have nothing better to do, I'd love to know how you did that

a passing knowledge of software update & the catalog format / url's -

then strings command on crsud, as I suggested to you on the other side,

then did nothing about it since I figured you or ds would be all over it using Little Snitch.

saw your screeny showing the test pkg, but carelessly thought was a rename for testing.

noticed the crsud.plist for root was altered after Lion update, containing an entry mentioning the same test pkg as your screenshot... so I looked more closely at Strings output & found that for now, at least, there's a different URL for critical updates (previously checked the main catalog for 'critical' or anything likely-sounding)

Hi Baltwo

is xprotect disabled on the 10.6.8 mac ? - the strings suggest that crsud won't run if that's so. otherwise check the crsud plist & cache + console for ideas.

re ML - we know there's no crsud, so perhaps no 'test' package either?. I'm not sure what's in place for ML to ensure critical updates.

MadMacs0 wrote:

curl is a common process for transferring data with URL syntax. I see it used by a number of routines with my setup and it has been permanently approved with port 80 for a very long time.

So why keep using Little Snitch at all?

There is nothing protecting curl from malicious or surreptitious use and it is a very flexible and powerful tool. It is common practice for software that seeks to operate without being noticed to use common tools (e.g. curl, ssh, etc.) to do things like network access which are often watched, so as to look more like routine activity.

andyBall_uk wrote:

…is xprotect disabled on the 10.6.8 mac ?

Not as far as know. At least I've not disabled it. Do note that both Java and Flash Player are totally up to date.

re ML - we know there's no crsud, so perhaps no 'test' package either?. I'm not sure what's in place for ML to ensure critical updates.

I'm not aware of anything except XProtect, which doesn't do any updating, but turns those off. I never do autoupdates of anything, but do keep up to date and manually install all updates.

baltwo wrote:

FWIW, not seeing /var/.emptypayload in my SL or ML boot volumes, both with the latest updates installed. Strange stuff here.

Did you check the box for "Automatically install important security updates"? I realize that's not something you would normally do, but it didn't sound like you would get the test package installation unless it was.

Did you check the box for "Automatically install important security updates"?

Never and don't expect to experiment with that.

good idea - also the crsud.plist should have a last run successfully entry

the 10.6.8 update here installed emptypayload on first boot - the automatic checkbox was already checked when first seen.

WZZZ - my 10.6.8 one wasn't modified - showed May 2012 like yours. Something different on Lion, or just this system

I just went back in and checked "Automatically install...." As soon as I did that, within a half second, Little Sntich came up with crsud wants to connect."

It seems Xprotect and the new crsud are wrapped up together, since that's in the original location for allowing XProtect updates.

Wonder if this is still working in 10.6 to force XProtect to update now.

sudo /usr/libexec/XProtectUpdater

sudo launchctl start com.apple.xprotectupdater