crsud process with security update 2013-001

>>Wonder if this is still working...

try it eh 🙂

I said earlier, not sure what ML has for the same purpose - of course it has a 'system data files & security updates' option in the SU pref pane, similar to the 'automatically install...' I haven't noticed what flags them yet, presumably something in the catalog or the pkm's.

I think it's a good thing overall : eg non-admin user, yet 'critical' updates come in w/o interaction, and it can be disabled if you wish. There are seemingly flashback & maybe other such still around, due no updates.

I did just try it. (Figured I should eat my own dog food.) Looked through the logs and didn't see the usual "placeholder" message (screenshot below) that appears when the XProtectUpdater automatically connects but doesn't get an update. I'd never used the force update commands before, so don't know if that same message is to be expected when it's done that way.

Same here on SL

I just force ran the XProtect updater again, which I'm seeing in the logs, but nothing at all about actually connecting.

And looking at /private/var/db/install/crsud.plist I'm seeing that the last time it updated was last night after I checked "Automatically install..." and then allowed crsud to connect. Nothing thereafter.

(In Snow, but it's very likely because I'm not doing this correctly, I'm not finding any of the results you found, Andy, for test .pkg. Just /private/var/db/receipts/com.apple.pkg.SecUpdBase2013-001Test.plist, which doesn't contain any of what you are showing.)

This is the crsud.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>LastSuccessfulScanDate</key>

<date>2013-03-19T00:38:51Z</date>

<key>LogLevel</key>

<integer>3</integer>

</dict>

</plist>

Message was edited by: WZZZ

billcole wrote:

So why keep using Little Snitch at all?

There is nothing protecting curl from malicious or surreptitious use and it is a very flexible and powerful tool. It is common practice for software that seeks to operate without being noticed to use common tools (e.g. curl, ssh, etc.) to do things like network access which are often watched, so as to look more like routine activity.

Little Snitch resides in root and looks for suspicious outgoing network behavior, thus any malware attacking the machine and wants to go unnoticed when it calls home needs to gain access to root to disable Little Snitch.

So LS is protecting users who normally reside in Admin (or better) Standard User which are lower permissions levels from unseen malware. It won't protect against someone installing a Trojan with their Admin password obviously.

crsud and curl are root level processes, and Little Snitch flags crsud because it's a new process, it was installed in the last software update thus LS doesn't automatically allow it though in the default settings as it hasn't seen it before.

curl is flagged because it can be easily called, so if one isn't running a program and curl wants to connect, it alerts the user something fishy is going on.

LS will obviously get a update that will allow the new crsud and the check for the process that calls curl for legitimacy, thus allowing that by default as it's from Apple.

LS has protected many from the Flashback malware as if it saw LS it just deleted itself knowing it couldn't download the main payload without alerting seasoned users.

So it's a extremely useful security tool especially if it catches some malware where the writer doesn't plan on users having it, thus alerting seasoned users the platform is under attack.

For those malware writers that know we run LS, it forces them to seek root access which isn't as easy to accomplish.

Sure a browser flaw can upload all a users files or attempt to do things in a lower permissions level, the new LS 3 has a activity window how that shows all the connections and the activity of those programs/processes that are allowed through or attempting connections. So it can flag stuff that's going on when the user isn't doing anything or seems overload for that they are doing. For instance ASC is uploading the unposted comments on this forum so in case something happens you can recover your post in case of a glitch.

The object of LS is to keep the user aware of what's going out (and even into) their machine via the network connections.

WZZZ wrote:

I just force ran the XProtect updater again, which I'm seeing in the logs, but nothing at all about actually connecting.

I should have mentioned this when you first brought it up, but back when XProtect first came out along with the Terminal command (and a small app) to force an update, there were a handful of individuals who lost their Login Keychains when they used it. Never figured out why and the numbers were small, but it did cause me to start telling people to only Toggle the preference to initiate an update. I even managed to get Macworld to retract their tip about it.

Now that the option seems to be gone for 10.6 users, I don't know what I should be recommending.

WZZZ said:

And, if you haven't already done so, uncheck "Open 'safe' files after downloading" in Safari Preferences. Whether or not Apple keeps this list updated or not, this is an enormous security risk.

FYI: I personally have harped on this issue to Apple. They have at least acknowledged my complaint. I'm certain others have complained as well. I can say that at least the update to Safari 6.0.3 did NOT turn this checkbox ON again. I don't yet know if a clean install of Safari 6.0.3 still has it turned on by default.

If it helps: There have been no infections of Macs via this potential security hole, so far, of which I am aware.

<Link Edited By Host>

Derek Currie wrote:

There have been no infections of Macs via this potential security hole, so far, of which I am aware.

IIRC, it the original Flashback Trojan that was downloaded as a FlashPlayer.pkg file that started the concern over disabling this option. There may well have been others, even before that, but I'd have to go through the list to be certain.

I had it unchecked way before Flashback on principle; I wasn't going to trust whatever Apple thought 'safe' files were and also I don't like losing control over downloads. We saw what happened when that kind of user control was relinquished.

FWIW: output of strings /usr/libexec/crsud You can clearly see here that it's involved with XProtect. No idea why I'm seeing these failures or errors, except that perhaps Apple hasn't fnished the job yet.

Last login: Wed Mar 20 08:11:13 on ttys000

***********$ strings /usr/libexec/crsud

This tool must be run as root

crsud: Starting

com.apple.softwareupdate.crsu

crsud: Couldn't instantiate daemon

crsud: Exiting.

drain

runDaemon

ensureCacheDirectoryExists

alloc

NSAutoreleasePool

CUDaemon

com.apple.crsud.ScanningForChanges

Error encountered - scheduling retry: %@

Error encountered - retries exhausted: %@

crsud service disabled - exiting now.

Preference set to force a scan

No lastScanDate in cache - will scan now

Will not scan - scan interval %d less than %d. Next scan in %d seconds.

_quitNow

_numTries

scheduleRetryWaitingForNetworkAvailability

checkShouldRunNow

initWithService:

NSObject

runUntilDate:

currentRunLoop

initWithTimeIntervalSinceNow:

performScanWithCompletionHandler:

code

sharedHandler

scanInterval

timeIntervalSinceDate:

date

sharedInstance

CUPowerAssertion

NSRunLoop

Starting scan now...

Found updates to install

No updates found to install at this time

@8@0:4

v12@0:4@?8

CUScan

release

errorWithCode:underlyingError:

setLastScanTimestamp:

downloadAndInstallUpdates

scanProductUpdatesWithCatalog:

defaultManager

osVersionString

copy

CUCatalog

NSDate

CUURLErrorResponseHeaders

CUURLErrorStatusCode

User-Agent

Sending request %@ %@

didReceiveAuthenticationChallenge

@"NSURLResponse"

data

@"NSMutableData"

error

@"NSError"

setResponse:

setData:

setError:

setIsExecuting:

v12@0:4c8

c8@0:4

setIsCancelled:

_wantHTTPLogging

connection:didReceiveResponse:

connection:didFailWithError:

connectionDidFinishLoading:

connection:didReceiveData:

connection:didCancelAuthenticationChallenge:

connection:didReceiveAuthenticationChallenge:

connection:canAuthenticateAgainstProtectionSpace:

c16@0:4@8@12

connection:willSendRequest:redirectResponse:

@20@0:4@8@12@16

isCancelled

Tc,VisCancelled

isExecuting

Tc,VisExecuting

T@"NSError",&,Verror

T@"NSMutableData",&,Vdata

response

T@"NSURLResponse",&,Vresponse

_CUURLConnectionDelegate

@20@0:4@8^@12^@16

finishAuthenticationChallenge:usingCredential:

v20@0:4@8@12c16

didReceiveAuthenticationChallenge:

setUserAgent:

userAgent

setSharedAuthenticationHandler:

logHttp

errorWithDomain:code:userInfo:

dictionaryWithObjectsAndKeys:

allHeaderFields

numberWithInteger:

cancel

statusCode

class

appendData:

allHTTPHeaderFields

description

setValue:forHTTPHeaderField:

connectionWithRequest:delegate:

setHTTPShouldHandleCookies:

mutableCopy

isFileURL

cancelAuthenticationChallenge:

useCredential:forAuthenticationChallenge:

continueWithoutCredentialForAuthenticationChallenge:

sender

proposedCredential

previousFailureCount

protectionSpace

promptForAuthenticationChallenge:

NSURLConnection

NSHTTPURLResponse

NSDictionary

NSError

NSMutableData

CUPrefs

Products

Distributions

10.6

10.7

RequiredUpdates

Found the following required updates: %@

com.apple.crsud.DownloadCatalog

Download catalog with URL: %@

EV cert checking disabled by preferences

Error parsing catalog: %@

No catalog found - done.

Error during download: %@

downloadCatalog returning with Dict:%@

_catalogDictionary

@"NSDictionary"

allProductKeys

extraInfoForProductKey:

@12@0:4@8

productDictForProductKey:

productUpdatesForOSVersion:

productForProductKey:

downloadCatalogForOSVersion:error:

c16@0:4@8^@12

catalogURLWithVersion:

allKeys

removeObjectForKey:

autorelease

productWithProductKey:productDictionary:

objectForKey:

isEqualToString:

domain

retain

propertyListFromData:mutabilityOption:format:errorDescription:

isKindOfClass:

host

takePowerAssertionWithDescription:timeout:

hasPrefix:

URLWithString:

catalogURL

catalogURLScheme

NSString

NSMutableURLRequest

CUURLConnection

NSPropertyListSerialization

CUProduct

swscan.apple.com

cr-snowleopard

cr-lion

%@://%@/content/catalogs/others/index-%@-1.sucatalog

/var/db/receipts/%@.plist

Downloading package with URL: %@

Error downloading package: %@

ExtendedMetaInfo

Packages

packageIdentifier

Digest

Size

Invalid product with key %@ found in catalog - cannot download and install product.

Package URL: %@, File Size: %ld, Digest: %@, Package ID: %@

%@/%@.pkg

Package Download Path is: %@

%s: Failed post-download size check for package "%s": expected %llu, got %llu

%s: Failed post-download digest check for package "%s": expected %s, got %s

Failed to register package %@ for %@ (returned trust level %d)

Invalid product download - file either does not exist or is a directory

Successfully verified package at path: %s

pkgPath required

/SourceCache/CodeGingerSU/CodeGingerSU-5/Daemon/CUProduct.m

Invalid flat package %s

CSSMOID_APPLE_TP_SW_UPDATE_SIGNING

Untrusted request %s: %s

2097152

rsize

checksum/offset

checksum/size

%02x

_state

_productKey

@"NSString"

_packageIdentifier

_error

_packageDownloadToPath

_receiptPath

_packageDownloadURL

_digest

_tempDownloadPath

_totalDownloadSize

_needsInstall

_needsDownload

_packageReferenceForPackageIdentifier

verifyPackageAtPath:minimumTrust:error:

c20@0:4@8i12^@16

@16@0:4@8@12

productKey

state

i8@0:4

downloadSize

Q8@0:4

packageToInstall

cleanupDownload

v8@0:4

c12@0:4^@8

_processDownloadedFileAtPath:expectedDownloadSize:expectedDigest:error:

c28@0:4@8Q12@20^@24

_digestForArchiveAtPath:

verifyProductWithTrustLevel:

c12@0:4i8

initWithProductKey:dictionaryRepresentation:

_buildProductWithKey:dictionaryRepresentation:

receiptPath

packageDownloadPath

dealloc

removeItemAtPath:error:

writeToFile:options:error:

sendSynchronousRequest:returningResponse:error:

requestWithURL:cachePolicy:timeoutInterval:

absoluteString

requiredPackageTrustLevelForCurrentMode

lastPathComponent

attributesOfItemAtPath:error:

appendFormat:

bytes

stringWithCapacity:

closeFile

readDataOfLength:

seekToFileOffset:

fileHandleForReadingAtPath:

fileSystemRepresentation

pathExtension

evaluateTrustReturningError:

_setTrustAnchorCertificateData:

dataWithBytes:length:

_setTrustPolicyIdentifier:

_setAllowsDevelopmentSignedArchives:

arrayWithObject:

errorWithCode:path:

UTF8String

packageWithPath:

handleFailureInMethod:object:file:lineNumber:description:

stringWithUTF8String:

currentHandler

length

unsignedLongLongValue

lastObject

NSAssertionHandler

PKPackage

CUHelper

PKInstallRequest

NSArray

NSData

NSFileHandle

NSMutableString

NSURL

root

wheel

/Library/Updates

Error while downloading product :%@ - %@

Install finished!

Error callback while installing: %s

New install state: %s

com.apple.crsud.DownloadAndInstallUpdates

Exception caught while downloading or installing product %@

Error encountered - product will be cleaned up

Exception caught in installProducts: %s

_productsToDownload

@"NSMutableArray"

_productsToInstall

_installClient

@"PKInstallClient"

_installState

_installError

_installingNow

installClientDidFinish:

v12@0:4@8

installClient:didFailWithError:

v16@0:4@8@12

installClient:currentState:package:progress:timeRemaining:

v36@0:4@8i12@16d20d28

registerProduct:

c12@0:4@8

installProducts

_cleanupPackages

downloadProductIfNeeded:

i12@0:4@8

addProductToDownload:

addProductToInstall:

createDirectoryForProductKey:

directoryForProductKey:

CUProductManager

localizedDescriptionForInstallState:

scheduledTimerWithTimeInterval:target:selector:userInfo:repeats:

self

initWithRequest:delegate:error:

requestWithPackages:destination:

downloadAndVerify:

count

countByEnumeratingWithState:objects:count:

needsToBeDownloaded

needsToBeInstalled

addObject:

createDirectoryAtPath:withIntermediateDirectories:attributes:error:

numberWithInt:

dictionaryWithCapacity:

fileExistsAtPath:isDirectory:

rangeOfString:

stringByAppendingPathComponent:

NSMutableArray

NSFileManager

NSMutableDictionary

NSNumber

PKInstallClient

NSTimer

NSException

PKInstall

CUErrorDomain

@16@0:4i8@12

allowDevSignedPkgs

userInfo

dictionary

/var/db/install

%@/crsud.plist

CriticalUpdates: Error attempting to create the preferences file - critical updates may fail

com.apple.xprotectupdater

com.apple.crsud

TRUE

xProtect = %@, crsud = %@

Syncing up xprotect and codeginger preferences...

com.apple.ServiceManagement.daemons.modify

Error obtaining right to modify launch prefs: %@

Disabling crsud service - xprotect was found disabled...

Error attempting to enable crsud: %@

_prefsDict

@"NSMutableDictionary"

_dirty

_prefsURL

@"NSURL"

_osVersion

_serviceEnabled

_protectedPreferencesFileURL

evCertCheckDisabled

forceScanAlways

lastScanTimestamp

schedulingInterval

catalogURLHost

serviceEnabled

logLevel

setObject:forKey:

_writePrefs

_readPrefs

_syncUpXProtectAndCodeGingerSettings

boolValue

integerValue

writeToURL:atomically:

dataFromPropertyList:format:errorDescription:

unlock

dataWithContentsOfURL:

lock

fileURLWithPath:

createFileAtPath:contents:attributes:

dataWithPropertyList:format:options:error:

dictionaryWithObject:forKey:

fileExistsAtPath:

stringWithFormat:

protectedCacheDirectory

authorizationRef

obtainWithRight:flags:error:

authorization

NSLock

SFAuthorization

LogLevel

CatalogURL

CatalogURLHost

CatalogURLScheme

SchedulingInterval

ScanInterval

LastSuccessfulScanDate

ForceScanAlways

AllowDevSignedPkgs

LogHttpTraffic

DisableEVCheck

OSVersionOverride

crsud

Canceling PA timeout

Scheduling PA timeout in %d seconds

Releasing power assertion: %@

No assertion exists while trying to release the assertion

Taking power assertion: %@

NoIdleSleepAssertion

Could not create assertion - failed with status %d

_timerSource

^{dispatch_source_s=}

releasePowerAssertion

v16@0:4@8i12

scheduleTimeoutForPA:

v12@0:4i8

cancelTimeout

init

com.apple.SoftwareUpdate.SUCatalogFetchAuthenticationHandler

FALSE

setting cert validated for host %@ = %@

https

certValidatedForURL %@ = %@

isHostDisabledForEVCheck %@ = %@

Failed Software Update - trust evaluation failed in SecTrustEvaluate: %d

Failed Software Update - trust evaluation failed in SecTrustEvaluate with result: %d

Organization

Apple Inc.

Accepting valid EV Cert from host %@ with org name: %@

Failed Software Update - Refusing invalid certificate from host: %@

_certValidatedByHost

_updateQueue

^{dispatch_queue_s=}

_evCheckingDisabledByPref

_disabledHosts

_setCertValidated:forHost:

v16@0:4c8@12

certValidatedForURL:

isHostDiabledForEVCheck:

disableHostForEVCheck:

CUAuthenticationHandler

numberWithBool:

scheme

credentialForTrust:

stringWithString:

finishAuthenticationChallenge:usingCredential:shouldContinue:

serverTrust

authenticationMethod

containsObject:

initWithObjects:

CUURLAuthenticationHandler

NSURLCredential

10.6.8 : crsud didn't run successfully again here until the checkbox toggled off/on - although it ran on first boot post-update.

Just tried toggling off/on: nothing. Although it did run, or at least Little Snitch asked to allow and I allowed earlier today. Whether that means it actually ran anything, I have no idea, since the logs show nothing.

no logs here either, except when it ran after reboot & the connection was offline, then on verifying a package & installing it; but crsud.plist will be modified with a last success entry, and root's Library/Caches/crsud/cache.db is altered too.

I don't have that cache.db anywhere.

/private/var/db/install/crsud.plist, which you mentioned, appears to have been updated yesterday, presumably from when crsud asked to run.

<key>LastSuccessfulScanDate</key>

<date>2013-03-21T16:56:13Z</date>

Message was edited by: WZZZ

use Findanyfile as root (option click the Find button) or peek in

/private/var/root/Library/Caches/crsud

if not there, yours is different 🙂