Skip navigation

crsud process with security update 2013-001

36813 Views 168 Replies Latest reply: Sep 8, 2013 9:10 AM by MadMacs0 RSS
  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 18, 2013 5:52 PM (in response to baltwo)

    I just went back in and checked "Automatically install...." As soon as I did that, within a half second, Little Sntich came up with crsud wants to connect."

     

    It seems Xprotect and the new crsud are wrapped up together, since that's in the original location for allowing XProtect updates.

     

    Wonder if this is still working in 10.6  to force XProtect to update now.

     

    sudo /usr/libexec/XProtectUpdater

     

    sudo launchctl start com.apple.xprotectupdater

  • andyBall_uk Level 6 Level 6 (17,470 points)
    Currently Being Moderated
    Mar 18, 2013 6:20 PM (in response to WZZZ)

    >>Wonder if this is still working...

    try it eh

     

    I said earlier, not sure what ML has for the same purpose - of course it  has a 'system data files & security updates' option in the SU pref pane, similar to the 'automatically install...' I haven't noticed what flags them yet, presumably something in the catalog or the pkm's.

     

    I think it's a good thing overall : eg non-admin user, yet 'critical' updates come in w/o interaction, and it can be disabled if you wish. There are seemingly flashback & maybe other such still around, due no updates.

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 18, 2013 6:28 PM (in response to andyBall_uk)

    I did just try it. (Figured I should eat my own dog food.) Looked through the logs and didn't see the usual "placeholder" message (screenshot below) that appears when the XProtectUpdater automatically connects but doesn't get an update. I'd never used the force update commands before, so don't know if that same message is to be expected when it's done that way.

     

    Screen shot 2013-03-18 at 9.24.18 PM.png

  • tingotanca Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 19, 2013 1:40 AM (in response to baltwo)

    Same here on SL

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 19, 2013 7:52 AM (in response to andyBall_uk)

    I just force ran the XProtect updater again, which I'm seeing in the logs, but nothing at all about actually connecting.

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 19, 2013 8:18 AM (in response to WZZZ)

    And looking at /private/var/db/install/crsud.plist I'm seeing that the last time it updated was last night after I checked "Automatically install..." and then allowed crsud to connect. Nothing thereafter.

     

    (In Snow, but it's very likely because I'm not doing this correctly, I'm not finding any of the results you found, Andy, for test .pkg. Just /private/var/db/receipts/com.apple.pkg.SecUpdBase2013-001Test.plist, which doesn't contain any of what you are showing.)

     

    This is the crsud.plist

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

        <key>LastSuccessfulScanDate</key>

        <date>2013-03-19T00:38:51Z</date>

        <key>LogLevel</key>

        <integer>3</integer>

    </dict>

    </plist>

     

    Message was edited by: WZZZ

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Mar 19, 2013 8:36 AM (in response to billcole)

    billcole wrote:

     

    So why keep using Little Snitch at all?

     

    There is nothing protecting curl from malicious or surreptitious use and it is a very flexible and powerful tool. It is common practice for software that seeks to operate without being noticed to use common tools (e.g. curl, ssh, etc.) to do things like network access which are often watched, so as to look more like routine activity.

     

    Little Snitch resides in root and looks for suspicious outgoing network behavior, thus any malware attacking the machine and wants to go unnoticed when it calls home needs to gain access to root to disable Little Snitch.

     

    So LS is protecting users who normally reside in Admin (or better) Standard User which are lower permissions levels from unseen malware. It won't protect against someone installing a Trojan with their Admin password obviously.

     

    crsud and curl are root level processes, and Little Snitch flags crsud because it's a new process, it was installed in the last software update thus LS doesn't automatically allow it though in the default settings as it hasn't seen it before.

     

    curl is flagged because it can be easily called, so if one isn't running a program and curl wants to connect, it alerts the user something fishy is going on.

     

    LS will obviously get a update that will allow the new crsud and the check for the process that calls curl for legitimacy, thus allowing that by default as it's from Apple.

     

    LS has protected many from the Flashback malware as if it saw LS it just deleted itself knowing it couldn't download the main payload without alerting seasoned users.

     

    So it's a extremely useful security tool especially if it catches some malware where the writer doesn't plan on users having it, thus alerting seasoned users the platform is under attack.

     

    For those malware writers that know we run LS, it forces them to seek root access which isn't as easy to accomplish.

     

    Sure a browser flaw can upload all a users files or attempt to do things in a lower permissions level,  the new LS 3 has a activity window how that shows all the connections and the activity of those programs/processes that are allowed through or attempting connections. So it can flag stuff that's going on when the user isn't doing anything or seems overload for that they are doing. For instance ASC is uploading the unposted comments on this forum so in case something happens you can recover your post in case of a glitch.

     

    The object of LS is to keep the user aware of what's going out (and even into) their machine via the network connections.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 19, 2013 9:55 PM (in response to WZZZ)

    WZZZ wrote:

     

    I just force ran the XProtect updater again, which I'm seeing in the logs, but nothing at all about actually connecting.

    I should have mentioned this when you first brought it up, but back when XProtect first came out along with the Terminal command (and a small app) to force an update, there were a handful of individuals who lost their Login Keychains when they used it. Never figured out why and the numbers were small, but it did cause me to start telling people to only Toggle the preference to initiate an update. I even managed to get Macworld to retract their tip about it.

     

    Now that the option seems to be gone for 10.6 users, I don't know what I should be recommending.

  • Derek Currie Level 1 Level 1 (90 points)
    Currently Being Moderated
    May 14, 2013 6:37 AM (in response to WZZZ)

    WZZZ said:

    And, if you haven't already done so, uncheck "Open 'safe' files after downloading" in Safari Preferences. Whether or not Apple keeps this list updated or not, this is an enormous security risk.

     

    FYI: I personally have harped on this issue to Apple. They have at least acknowledged my complaint. I'm certain others have complained as well. I can say that at least the update to Safari 6.0.3 did NOT turn this checkbox ON again. I don't yet know if a clean install of Safari 6.0.3 still has it turned on by default.

     

    If it helps: There have been no infections of Macs via this potential security hole, so far, of which I am aware.

     

    <Link Edited By Host>

     

     

     


  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 20, 2013 3:00 AM (in response to Derek Currie)

    Derek Currie wrote:

     

    There have been no infections of Macs via this potential security hole, so far, of which I am aware.

    IIRC, it the original Flashback Trojan that was downloaded as a FlashPlayer.pkg file that started the concern over disabling this option. There may well have been others, even before that, but I'd have to go through the list to be certain.

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 20, 2013 5:29 AM (in response to MadMacs0)

    I had it unchecked way before Flashback  on principle; I wasn't going to trust whatever Apple thought 'safe' files were and also I don't like losing control over downloads. We saw what happened when that kind of user control was relinquished.

     

    FWIW: output of strings /usr/libexec/crsud  You can clearly see here that it's involved with XProtect. No idea why I'm seeing these failures or errors, except that perhaps Apple hasn't fnished the job yet.

     

     

    Last login: Wed Mar 20 08:11:13 on ttys000

    ***********$ strings /usr/libexec/crsud

    This tool must be run as root

    crsud: Starting

    com.apple.softwareupdate.crsu

    crsud: Couldn't instantiate daemon

    crsud: Exiting.

    drain

    runDaemon

    ensureCacheDirectoryExists

    alloc

    NSAutoreleasePool

    CUDaemon

    com.apple.crsud.ScanningForChanges

    Error encountered - scheduling retry: %@

    Error encountered - retries exhausted: %@

    crsud service disabled - exiting now.

    Preference set to force a scan

    No lastScanDate in cache - will scan now

    Will not scan - scan interval %d less than %d. Next scan in %d seconds.

    _quitNow

    _numTries

    scheduleRetryWaitingForNetworkAvailability

    checkShouldRunNow

    initWithService:

    NSObject

    runUntilDate:

    currentRunLoop

    initWithTimeIntervalSinceNow:

    performScanWithCompletionHandler:

    code

    sharedHandler

    scanInterval

    timeIntervalSinceDate:

    date

    sharedInstance

    CUPowerAssertion

    NSRunLoop

    Starting scan now...

    Found updates to install

    No updates found to install at this time

    @8@0:4

    v12@0:4@?8

    CUScan

    release

    errorWithCode:underlyingError:

    setLastScanTimestamp:

    downloadAndInstallUpdates

    scanProductUpdatesWithCatalog:

    defaultManager

    osVersionString

    copy

    CUCatalog

    NSDate

    CUURLErrorResponseHeaders

    CUURLErrorStatusCode

    User-Agent

    Sending request %@ %@

    didReceiveAuthenticationChallenge

    @"NSURLResponse"

    data

    @"NSMutableData"

    error

    @"NSError"

    setResponse:

    setData:

    setError:

    setIsExecuting:

    v12@0:4c8

    c8@0:4

    setIsCancelled:

    _wantHTTPLogging

    connection:didReceiveResponse:

    connection:didFailWithError:

    connectionDidFinishLoading:

    connection:didReceiveData:

    connection:didCancelAuthenticationChallenge:

    connection:didReceiveAuthenticationChallenge:

    connection:canAuthenticateAgainstProtectionSpace:

    c16@0:4@8@12

    connection:willSendRequest:redirectResponse:

    @20@0:4@8@12@16

    isCancelled

    Tc,VisCancelled

    isExecuting

    Tc,VisExecuting

    T@"NSError",&,Verror

    T@"NSMutableData",&,Vdata

    response

    T@"NSURLResponse",&,Vresponse

    _CUURLConnectionDelegate

    @20@0:4@8^@12^@16

    finishAuthenticationChallenge:usingCredential:

    v20@0:4@8@12c16

    didReceiveAuthenticationChallenge:

    setUserAgent:

    userAgent

    setSharedAuthenticationHandler:

    logHttp

    errorWithDomain:code:userInfo:

    dictionaryWithObjectsAndKeys:

    allHeaderFields

    numberWithInteger:

    cancel

    statusCode

    class

    appendData:

    allHTTPHeaderFields

    description

    setValue:forHTTPHeaderField:

    connectionWithRequest:delegate:

    setHTTPShouldHandleCookies:

    mutableCopy

    isFileURL

    cancelAuthenticationChallenge:

    useCredential:forAuthenticationChallenge:

    continueWithoutCredentialForAuthenticationChallenge:

    sender

    proposedCredential

    previousFailureCount

    protectionSpace

    promptForAuthenticationChallenge:

    NSURLConnection

    NSHTTPURLResponse

    NSDictionary

    NSError

    NSMutableData

    CUPrefs

    Products

    Distributions

    10.6

    10.7

    RequiredUpdates

    Found the following required updates: %@

    com.apple.crsud.DownloadCatalog

    Download catalog with URL: %@

    EV cert checking disabled by preferences

    Error parsing catalog:  %@

    No catalog found - done.

    Error during download: %@

    downloadCatalog returning with Dict:%@

    _catalogDictionary

    @"NSDictionary"

    allProductKeys

    extraInfoForProductKey:

    @12@0:4@8

    productDictForProductKey:

    productUpdatesForOSVersion:

    productForProductKey:

    downloadCatalogForOSVersion:error:

    c16@0:4@8^@12

    catalogURLWithVersion:

    allKeys

    removeObjectForKey:

    autorelease

    productWithProductKey:productDictionary:

    objectForKey:

    isEqualToString:

    domain

    retain

    propertyListFromData:mutabilityOption:format:errorDescription:

    isKindOfClass:

    host

    takePowerAssertionWithDescription:timeout:

    hasPrefix:

    URLWithString:

    catalogURL

    catalogURLScheme

    NSString

    NSMutableURLRequest

    CUURLConnection

    NSPropertyListSerialization

    CUProduct

    swscan.apple.com

    cr-snowleopard

    cr-lion

    %@://%@/content/catalogs/others/index-%@-1.sucatalog

    /var/db/receipts/%@.plist

    Downloading package with URL: %@

    Error downloading package: %@

    ExtendedMetaInfo

    Packages

    packageIdentifier

    Digest

    Size

    Invalid product with key %@ found in catalog - cannot download and install product.

    Package URL: %@, File Size: %ld, Digest: %@, Package ID: %@

    %@/%@.pkg

    Package Download Path is: %@

    %s: Failed post-download size check for package "%s": expected %llu, got %llu

    %s: Failed post-download digest check for package "%s": expected %s, got %s

    Failed to register package %@ for %@ (returned trust level %d)

    Invalid product download - file either does not exist or is a directory

    Successfully verified package at path: %s

    pkgPath required

    /SourceCache/CodeGingerSU/CodeGingerSU-5/Daemon/CUProduct.m

    Invalid flat package %s

    CSSMOID_APPLE_TP_SW_UPDATE_SIGNING

    Untrusted request %s: %s

    2097152

    rsize

    checksum/offset

    checksum/size

    %02x

    _state

    _productKey

    @"NSString"

    _packageIdentifier

    _error

    _packageDownloadToPath

    _receiptPath

    _packageDownloadURL

    _digest

    _tempDownloadPath

    _totalDownloadSize

    _needsInstall

    _needsDownload

    _packageReferenceForPackageIdentifier

    verifyPackageAtPath:minimumTrust:error:

    c20@0:4@8i12^@16

    @16@0:4@8@12

    productKey

    state

    i8@0:4

    downloadSize

    Q8@0:4

    packageToInstall

    cleanupDownload

    v8@0:4

    c12@0:4^@8

    _processDownloadedFileAtPath:expectedDownloadSize:expectedDigest:error:

    c28@0:4@8Q12@20^@24

    _digestForArchiveAtPath:

    verifyProductWithTrustLevel:

    c12@0:4i8

    initWithProductKey:dictionaryRepresentation:

    _buildProductWithKey:dictionaryRepresentation:

    receiptPath

    packageDownloadPath

    dealloc

    removeItemAtPath:error:

    writeToFile:options:error:

    sendSynchronousRequest:returningResponse:error:

    requestWithURL:cachePolicy:timeoutInterval:

    absoluteString

    requiredPackageTrustLevelForCurrentMode

    lastPathComponent

    attributesOfItemAtPath:error:

    appendFormat:

    bytes

    stringWithCapacity:

    closeFile

    readDataOfLength:

    seekToFileOffset:

    fileHandleForReadingAtPath:

    fileSystemRepresentation

    pathExtension

    evaluateTrustReturningError:

    _setTrustAnchorCertificateData:

    dataWithBytes:length:

    _setTrustPolicyIdentifier:

    _setAllowsDevelopmentSignedArchives:

    arrayWithObject:

    errorWithCode:path:

    UTF8String

    packageWithPath:

    handleFailureInMethod:object:file:lineNumber:description:

    stringWithUTF8String:

    currentHandler

    length

    unsignedLongLongValue

    lastObject

    NSAssertionHandler

    PKPackage

    CUHelper

    PKInstallRequest

    NSArray

    NSData

    NSFileHandle

    NSMutableString

    NSURL

    root

    wheel

    /Library/Updates

    Error while downloading product :%@ - %@

    Install finished!

    Error callback while installing: %s

    New install state: %s

    com.apple.crsud.DownloadAndInstallUpdates

    Exception caught while downloading or installing product %@

    Error encountered - product will be cleaned up

    Exception caught in installProducts:  %s

    _productsToDownload

    @"NSMutableArray"

    _productsToInstall

    _installClient

    @"PKInstallClient"

    _installState

    _installError

    _installingNow

    installClientDidFinish:

    v12@0:4@8

    installClient:didFailWithError:

    v16@0:4@8@12

    installClient:currentState:package:progress:timeRemaining:

    v36@0:4@8i12@16d20d28

    registerProduct:

    c12@0:4@8

    installProducts

    _cleanupPackages

    downloadProductIfNeeded:

    i12@0:4@8

    addProductToDownload:

    addProductToInstall:

    createDirectoryForProductKey:

    directoryForProductKey:

    CUProductManager

    localizedDescriptionForInstallState:

    scheduledTimerWithTimeInterval:target:selector:userInfo:repeats:

    self

    initWithRequest:delegate:error:

    requestWithPackages:destination:

    downloadAndVerify:

    count

    countByEnumeratingWithState:objects:count:

    needsToBeDownloaded

    needsToBeInstalled

    addObject:

    createDirectoryAtPath:withIntermediateDirectories:attributes:error:

    numberWithInt:

    dictionaryWithCapacity:

    fileExistsAtPath:isDirectory:

    rangeOfString:

    stringByAppendingPathComponent:

    NSMutableArray

    NSFileManager

    NSMutableDictionary

    NSNumber

    PKInstallClient

    NSTimer

    NSException

    PKInstall

    CUErrorDomain

    @16@0:4i8@12

    allowDevSignedPkgs

    userInfo

    dictionary

    /var/db/install

    %@/crsud.plist

    CriticalUpdates:  Error attempting to create the preferences file - critical updates may fail

    com.apple.xprotectupdater

    com.apple.crsud

    TRUE

    xProtect = %@, crsud = %@

    Syncing up xprotect and codeginger preferences...

    com.apple.ServiceManagement.daemons.modify

    Error obtaining right to modify launch prefs: %@

    Disabling crsud service - xprotect was found disabled...

    Error attempting to enable crsud:  %@

    _prefsDict

    @"NSMutableDictionary"

    _dirty

    _prefsURL

    @"NSURL"

    _osVersion

    _serviceEnabled

    _protectedPreferencesFileURL

    evCertCheckDisabled

    forceScanAlways

    lastScanTimestamp

    schedulingInterval

    catalogURLHost

    serviceEnabled

    logLevel

    setObject:forKey:

    _writePrefs

    _readPrefs

    _syncUpXProtectAndCodeGingerSettings

    boolValue

    integerValue

    writeToURL:atomically:

    dataFromPropertyList:format:errorDescription:

    unlock

    dataWithContentsOfURL:

    lock

    fileURLWithPath:

    createFileAtPath:contents:attributes:

    dataWithPropertyList:format:options:error:

    dictionaryWithObject:forKey:

    fileExistsAtPath:

    stringWithFormat:

    protectedCacheDirectory

    authorizationRef

    obtainWithRight:flags:error:

    authorization

    NSLock

    SFAuthorization

    LogLevel

    CatalogURL

    CatalogURLHost

    CatalogURLScheme

    SchedulingInterval

    ScanInterval

    LastSuccessfulScanDate

    ForceScanAlways

    AllowDevSignedPkgs

    LogHttpTraffic

    DisableEVCheck

    OSVersionOverride

    crsud

    Canceling PA timeout

    Scheduling PA timeout in %d seconds

    Releasing power assertion: %@

    No assertion exists while trying to release the assertion

    Taking power assertion: %@

    NoIdleSleepAssertion

    Could not create assertion - failed with status %d

    _timerSource

    ^{dispatch_source_s=}

    releasePowerAssertion

    v16@0:4@8i12

    scheduleTimeoutForPA:

    v12@0:4i8

    cancelTimeout

    init

    com.apple.SoftwareUpdate.SUCatalogFetchAuthenticationHandler

    FALSE

    setting cert validated for host %@ = %@

    https

    certValidatedForURL %@ = %@

    isHostDisabledForEVCheck %@ = %@

    Failed Software Update - trust evaluation failed in SecTrustEvaluate: %d

    Failed Software Update - trust evaluation failed in SecTrustEvaluate with result: %d

    Organization

    Apple Inc.

    Accepting valid EV Cert from host %@ with org name: %@

    Failed Software Update - Refusing invalid certificate from host: %@

    _certValidatedByHost

    _updateQueue

    ^{dispatch_queue_s=}

    _evCheckingDisabledByPref

    _disabledHosts

    _setCertValidated:forHost:

    v16@0:4c8@12

    certValidatedForURL:

    isHostDiabledForEVCheck:

    disableHostForEVCheck:

    CUAuthenticationHandler

    numberWithBool:

    scheme

    credentialForTrust:

    stringWithString:

    finishAuthenticationChallenge:usingCredential:shouldContinue:

    serverTrust

    authenticationMethod

    containsObject:

    initWithObjects:

    CUURLAuthenticationHandler

    NSURLCredential

  • andyBall_uk Level 6 Level 6 (17,470 points)
    Currently Being Moderated
    Mar 21, 2013 11:55 AM (in response to WZZZ)

    10.6.8 : crsud didn't run  successfully again here until the checkbox toggled off/on - although it ran on first boot post-update.

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 21, 2013 2:14 PM (in response to andyBall_uk)

    Just tried toggling off/on: nothing. Although it did run, or at least Little Snitch asked to allow and I allowed earlier today. Whether that means it actually ran anything, I have no idea, since the logs show nothing.

  • andyBall_uk Level 6 Level 6 (17,470 points)
    Currently Being Moderated
    Mar 21, 2013 6:10 PM (in response to WZZZ)

    no logs here either, except when it ran after reboot & the connection was offline, then on verifying a package & installing it;  but crsud.plist will be modified with a last success entry, and root's Library/Caches/crsud/cache.db is altered too.

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Mar 22, 2013 3:25 AM (in response to andyBall_uk)

    I don't have that cache.db anywhere.

     

    /private/var/db/install/crsud.plist, which you mentioned, appears to have been updated yesterday, presumably from when crsud asked to run.

     

     

        <key>LastSuccessfulScanDate</key>

        <date>2013-03-21T16:56:13Z</date>

     

    Message was edited by: WZZZ

1 2 3 4 5 6 ... 12 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.