Still more on the XProtect Updater

Mike Boylan writes in a reply to my previous post:

…I have to respectfully disagree that disabling the auto-update mechanism for Xprotect should be done in organizations with managed machines. Do you disable the automatic update mechanism for your anti-virus software? Do you manually test every definition update and push each one out through Munki? I’d assume not. Xprotect (clearly) isn’t serving the same type of updates as Apple software update. It’s a malware prevention/blocking (and in some cases, removal) system. I won’t argue that Xprotect’s disabling of Java plugins will almost certainly have a larger impact across organizations than say something like a Sophos definition update, but nonetheless, the intent is still to protect systems. Xprotect and anti-virus software together are meant to serve complimentary roles. These Java plugins are being disabled because serious known exploits are being used in the wild. For a company that cannot function without version xyx of the Java plugin, does it make sense to make changes so that it can continue to operate effectively? Sure. But I doubt most organizations rely that heavily on a single plugin. Also, how many different types of updaters should we as admins be responsible for managing? There are already too many. For most admins, I don’t think it’d be a responsible decision to add Xprotect to the list.

Mike:

If Xprotect’s disabling of web plugins has not caused your organization any issues, or you are willing to react to any issues such disabling might occur in the future, it may well make sense to leave things as they are for your organization.

In my organization, the Java 6 web plugin is required to perform vital, daily business functions. When it doesn’t work, business functions are seriously impacted.

My argument might be subtle.

Apple is acting as systems administrator for machines by updating the XProtect plists. As long as you are content to let Apple make those changes, and won’t complain if Apple makes a change that breaks things for you, by all means, leave the XProtect updater mechanism alone.

If, on the other hand, _you_ are taking responsibility for managing your machines, making sure they are functional for your organization, and keeping them safe from malware, you’ll want to disable _Apple’s_ update of the XProtect malware definitions, and take over updating them yourself.

If you do not want to be surprised that one morning Java or Flash or some other plugin has been disabled on all the Macs you manage, you cannot let Apple update these definitions without your review. You must take responsibility for reviewing and implementing Apple’s changes, or a modification thereof.

Is this more work? Yes. Does it add risk to your organization? Probably. All security is a trade-off between functionality and protection. Malware protection that prevents my users from doing their work is not an acceptable trade-off. Apple has made one decision about the trade-offs, one that protects a great number of Mac users while negatively affecting a very small number of them. That is not the correct decision for my organization.

The only way I can ensure the correct decisions are made for my organization is to not leave the decision making process solely to Apple, but to instead review Apple’s changes and alter them if needed for the benefit of my organization.

Each organization needs to weigh this decision for themselves.

More thoughts on XProtect Updater

I’ve been thinking more about Apple’s Xprotect Updater mechanism in light of the recent updates that have disabled Java web plugins. See yesterday’s post, for example.

In many enterprise environments, admins choose to run their own Software Update server to provide Apple updates. This is done for several reasons. One is to save bandwidth — it’s more efficient for a single machine to download available Apple updates over your Internet connection, then have all the other machines get those updates over the local LAN.

But another reason is to be able to control which updates are offered to your managed computers. Apple may offer an update that causes issues in your organization. For example, we did not deploy the “Java for OS X 2012-006″ update in our environment because it disabled the Java 6 Web Plugin, which we needed.

Yesterday’s Xprotect update essentially did the same thing, this time over a wider range of machines. I quickly put together a workaround, but one of the things the workaround does is to turn off the automatic updates of the XProtect data.

After thinking more about the ramifications of this, I think that this is exactly what most enterprise sites should do. They should treat this update mechanism like all other update mechanisms. I think you should turn this off on most or all of your managed machines.

“But wait,” you are thinking. “Isn’t this risky? Apple is trying to protect users from malware.” If you only turned off the update mechanism on all your machines and did nothing else, you are adding risk. But what you should do is something similar to what an admin that vets Apple Software Updates (or third-party application updates) does before releasing them.

You should enable the update mechanism on an admin machine. When there are new XProtect.meta.plist and/or XProtect.plist files, you should test to see that they don’t cause any issues in your organization, modifying them if needed. You can then use your favorite software deployment system (I like Munki) to distribute these files to your managed machines.

In this way, your managed machines can still get the benefit of updates to Apple’s malware protection mechanism without risking that a component vital to your organization will be blocked without warning.

Disabled Java Plugins, XProtect Updater

Today Apple updated the XProtect.meta.plist file, which, among other things, causes XProtect to disable Java Plugins that don’t meet a minimum version.

The net effect was to disable the Java 6 plugin on all browsers, as well as Java 7 plugins older than 1.7.11.22.

If you need to continue to use the Java 6 plugin in your organization, you can revert the changes and disable the mechanism that updates the XProtect.meta.plist by installing this package:

https://dl.dropbox.com/u/8119814/DisableXProtectUpdater.pkg.zip

This is a payload-free package that runs this script as a postflight:

#!/bin/sh

# don't check JavaWebComponentVersionMinimum
XPROTECT_META_PLIST="$3/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist"
/usr/libexec/PlistBuddy -c "Delete :JavaWebComponentVersionMinimum" "$XPROTECT_META_PLIST"

# disable the xprotectupdater job
LAUNCHD_JOB_PLIST="$3/System/Library/LaunchDaemons/com.apple.xprotectupdater.plist"
/bin/launchctl unload -w "$LAUNCHD_JOB_PLIST"

I won’t tell you this is a smart thing to install; there are many reasons to leave things as they are. Apple disabled these plugins to protect from known exploits. By re-enabling them, you are opening up your managed machines to these exploits.

But if your org needs the Java 6 Web Plugin, this should get you running again. You should re-enable the XProtect updater as soon as you are able, though:

sudo /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist

NOTE: if you need to re-enable an older version of the Oracle Java 1.7 Plugin, you’ll need to edit the postflight script and add something like:

/usr/libexec/PlistBuddy -c "Set  lugInBlacklist:10:com.oracle.java.JavaAppletPlugin:MinimumPlugInBundleVersion 1.7.10.19" "$XPROTECT_META_PLIST"

(Sadly, WordPress changes a colon followed by a P into a emoticon, even in pre-formatted text. Not helping…)

This sets the MinimumPlugInBundleVersion for the Oracle Java Web Plugin back to the value it was with the 10 Jan 2013 version of the XProtect.meta.plist. Again, if you do this, you are choosing to expose your machines to a known Java Web Plugin exploit. Do so at your own risk.

(Update 01 Feb 21013)
If you need to run the Oracle Java 1.7 Plugin (or are already running it and it’s been disabled) the best fix is to update the Java install. As of this writing, Java 7 Release 13 for OS X is available here. This installs a web plugin with BundleVersion 1.7.13.20.

(Update 02 Feb 2103)
Apple has released a Java 6 update for Snow Leopard. Installing this update will restore Java 6 web plugin functionality under Mac OS 10.6. This won’t help if you need to use the Java 6 web plugin under OS X 10.7 or later.

Mountain Lion and Software Update

Mountain Lion introduces a small, yet significant change in how OS X clients communicate with Apple’s Software Update servers.

Mountain Lion clients by default now consult an HTTPS URL to check for updates on Apple’s servers.

This has the implication that you can no longer use DNS trickery with Mountain Lion clients to get them to access your internal SUS instead of Apple’s. Some organizations configured their internal DNS servers to resolve requests to swupdate.apple.com to an internal server.

The appeal of this approach (DNS hijacking) was that you did not need to touch any client machine to get it to use your internal Softwar Update server; any client using your network would “automagically” use your internal Software Update server.

HTTPS connections do certificate verification of the host. Since your internal SUS can’t offer a certificate proving it is Apple’s server (because it’s not!) a Mountain Lion client will refuse to talk to it. (It’s also possible that your internal SUS is not accepting HTTPS connections anyway, but even if you were to turn that on, it would not help.)

HTTPS prevents exactly the sort of DNS impersonation that made this hack work in the first place. Apple has closed that door.

In order to use an internal Software Update server (either Apple’s or Reposado) with Mountain Lion clients, the clients must be explicitly pointed to your internal server via MCX or by setting the preference using:
defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL <internalSUScatalogURL>

Fixing packages with expired signatures

In my previous post, I provided a tool to enable you to check your collection(s) of packages to determine if any are affected by the Package Apocalypse.

But what to do once you’ve found packages with expired signatures? If Apple has provided an updated replacement package at
http://support.apple.com/downloads/
, it’s probably best to replace the package with the expired signature with the updated one.

But that might not always be possible — Apple has not provided replacements for every package that has been affected, or the replacement might not be practical to use.
(more…)

Package Apocalypse

Earlier this week a certificate Apple had used to sign flat packages over the last couple of years or so expired. This caused Apple to have to reissue a lot of update packages. This greatly affected sites running an Apple software update server, either Apple’s flavor, or the open-source Reposado replacement. See
http://support.apple.com/kb/HT5198
for more info on how this affects Software Update.

This also affects some update packages you might have downloaded from
http://support.apple.com/downloads
. If they are flat packages, it’s possible they may also be signed with an expired certificate. Such packages can be manually installed – Installer.app will display a warning, but you can choose to ignore the warning and proceed.

But if you have a mechanism that uses Apple’s command-line installer tool, these packages will fail to install. This will affect popular tools like InstaDMG, DeployStudio, Apple’s System Image Utility, and any software distribution mechanism that makes use of the command-line installer tool. Some examples include Munki, Casper, and AbsoluteManage.

Worse, this problem affects at least one software package originally distributed on DVD: iLife ’11. If you’ve imported the packages for iLife ’11 into your software distribution mechanism, they may now fail to install because of the expired certificate.

I am working on a tool to fix affected packages. (UPDATE: see this post.) But in the meantime, if you want to get an idea of how many packages you have that are affected by this issue, you might want to make use of a tool I wrote. It will scan a directory of packages or disk images containing packages and print information on any packages with bad or expired certificates.

Get it here.

The tool relies on a pkgutil option introduced in Lion, so you’ll need to run this on Lion!

An example of checkPackageSignatures.py in use:

./checkPackageSignatures.py /Volumes/LaCie/InstaDMG/pkgs-10.6.8/

/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/Install iTunes.pkg:
Package "Install iTunes":
Status: signed by a certificate that has since expired
/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/JavaForMacOSX10.6Update4.pkg:
Package "JavaForMacOSX10.6Update4.pkg":
Status: signed by a certificate that has since expired
/Volumes/LaCie/SIU/Snow Leopard/pkgs-10.6.8/MacOSXUpdCombo10.6.8.pkg:
Package "MacOSXUpdCombo10.6.8.pkg":
Status: signed by a certificate that has since expired


Use this tool to scan any collection of packages you have to see which are affected by this issue. If a replacement package is available from Apple, you should replace it. If there is no replacement, there is hope. Keep checking back here for an update soon.

Cauliflower Vest: FileVault 2 management for enterprise

Google’s MacOps team has released a new open source toolset for managing FileVault 2 for the enterprise: Cauliflower Vest.

Cauliflower Vest offers the ability to:

• Forcefully enable FileVault 2 encryption.
• Automatically escrow recovery keys to a secure Google App Engine server.
• Delegate secure access to recovery keys so that volumes may be unlocked or reverted.

http://google-opensource.blogspot.com/2012/02/cauliflower-vest-end-to-end-os-x.html

http://code.google.com/p/cauliflowervest/

FileVault notes

I’ve published an article on FileVault deployment at macenterprise.org. It’s here.

You can get a PDF version here.

Startup Items Security

Here is an article I did for MacEnterprise.org, responding to a recently published warning of an OS X security vulnerability by rixstep.com. Bottom line: nothing to worry about.