OS X java security update

after all the media coverage of the recent flashback malware on os x, apple released another java update yesterday that includes a “removal tool.”

there wasn’t much mention of what the removal tool does in the release notes. how do you use it? what does it do?

on two test machines, running 10.6.8 and 10.7.3, respectively, i installed the latest java update. the receipts db shows that a pkg with id com.apple.pkg.JavaSecurity was installed. checking the flat package contents, it’s part of the payload.

here’s what’s installed:

System System/Library System/Library/CoreServices System/Library/CoreServices/MRTAgent.app System/Library/CoreServices/MRTAgent.app/Contents System/Library/CoreServices/MRTAgent.app/Contents/CodeResources System/Library/CoreServices/MRTAgent.app/Contents/Info.plist System/Library/CoreServices/MRTAgent.app/Contents/MacOS System/Library/CoreServices/MRTAgent.app/Contents/MacOS/MRTAgent System/Library/CoreServices/MRTAgent.app/Contents/PkgInfo System/Library/CoreServices/MRTAgent.app/Contents/Resources System/Library/CoreServices/MRTAgent.app/Contents/Resources/Dutch.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/Dutch.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/Dutch.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/Dutch.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/Dutch.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/English.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/English.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/English.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/English.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/English.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/French.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/French.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/French.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/French.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/French.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/German.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/German.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/German.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/German.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/German.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/Italian.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/Italian.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/Italian.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/Italian.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/Italian.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/Japanese.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/Japanese.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/Japanese.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/Japanese.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/Japanese.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/Spanish.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/Spanish.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/Spanish.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/Spanish.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/Spanish.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/da.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/da.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/da.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/da.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/da.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/fi.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/fi.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/fi.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/fi.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/fi.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/ko.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/ko.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/ko.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/ko.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/ko.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/no.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/no.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/no.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/no.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/no.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/pl.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/pl.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/pl.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/pl.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/pl.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt_PT.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt_PT.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt_PT.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt_PT.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/pt_PT.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/ru.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/ru.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/ru.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/ru.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/ru.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/sv.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/sv.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/sv.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/sv.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/sv.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_CN.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_CN.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_CN.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_CN.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_CN.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_TW.lproj System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_TW.lproj/InfoPlist.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_TW.lproj/Localized.strings System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_TW.lproj/MainMenu.nib System/Library/CoreServices/MRTAgent.app/Contents/Resources/zh_TW.lproj/MainMenu.nib/keyedobjects.nib System/Library/CoreServices/MRTAgent.app/Contents/_CodeSignature System/Library/CoreServices/MRTAgent.app/Contents/_CodeSignature/CodeResources System/Library/CoreServices/MRTAgent.app/Contents/version.plist System/Library/LaunchAgents System/Library/LaunchAgents/com.apple.mrt.uiagent.plist System/Library/LaunchDaemons System/Library/LaunchDaemons/com.apple.mrt.plist usr usr/libexec usr/libexec/MRT

great. let’s check out /usr/libexec/MRT to see what that does. hey, it’s not there… i checked the paths specified in the payload, but none of it was to be found.

hmmm…

both test machines showed the same behavior: installed the pkg but left no trace of the binaries.

the launchagent installed calls the MRTAgent.app under CoreServices.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>RunAtLoad</key> <true/> <key>LimitLoadToSessionType</key> <string>Aqua</string> <key>Label</key> <string>com.apple.mrt.uiagent</string> <key>Program</key> <string>/System/Library/CoreServices/MRTAgent.app/Contents/MacOS/MRTAgent</string> <key>KeepAlive</key> <dict> <key>OtherJobEnabled</key> <dict> <key>com.apple.mrt</key> <true/> </dict> </dict> </dict> </plist>

similarly, the launchdaemon calls /usr/libexec/MRT.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>MachServices</key> <dict> <key>com.apple.mrt</key> <true/> </dict> <key>KeepAlive</key> <dict> <key>SuccessfulExit</key> <false/> </dict> <key>Label</key> <string>com.apple.mrt</string> <key>ProgramArguments</key> <array> <string>/usr/libexec/MRT</string> </array> <key>RunAtLoad</key> <true/> </dict> </plist>

the pkg postflight looks sort of crude:

#!/bin/sh # only works on SL /bin/launchctl unload -S Aqua /System/Library/LaunchAgents/com.apple.mrt.uiagent.plist /bin/launchctl load -w -S Aqua /System/Library/LaunchAgents/com.apple.mrt.uiagent.plist # only works on Lion /bin/launchctl asuser `id -u "$USER"` /bin/launchctl unload -S Aqua /System/Library/LaunchAgents/com.apple.mrt.uiagent.plist /bin/launchctl asuser `id -u "$USER"` /bin/launchctl load -w -S Aqua /System/Library/LaunchAgents/com.apple.mrt.uiagent.plist /bin/launchctl unload /System/Library/LaunchDaemons/com.apple.mrt.plist /bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.mrt.plist

so it unloads, then loads the launchd jobs. fine so far, i guess.

a very unscientific scan through the MRT binary with strings provides some idea of what it’s looking for, at least. it has some reference to at least two variants of flashback; appears to check safari, chrome, and firefox (but not other browsers); and looks through system and user homedirs.

since it apparently removed itself on my systems, i rsynced the files into place, reloaded the daemon and agent, and tried manually running MRT. as soon as i did that, all the components were gone. so this is the intended behavior?

i’m guessing that on infected machines, it will do some type of removal before removing these components. it seems that apple assumes you’ve installed the java update, so the vulnerability is fixed, and there’s no need for the removal tools any more.

if that’s the case, apple should clarify this is the intended behavior in the release notes. i know some people have been looking to this update to provide some type of useful malware removal and prevention utility, which doesn’t appear to be the case.

am i missing something here? have any of you seen different results?

a rock, a paper, and a goat

a love story

Comments