Avoid using customized Virex eUpdate settings

Oct 19, '05 05:09:00AM

Contributed by: takeaway

As you probably know, Apple has dropped support for Virex in .Mac, but there are still some people using it. Both Virex 7.2 and 7.5 give you the option to customize you eUpdate settings -- the goal of this is to prevent you from having to type in your .Mac password all the time in certain cases. For example, if you are updating Virex but don't have your .Mac account configured. That basically means that the following does not affect all users -- just the users who have set their username and password in the custom eUpdate settings.

Should you choose to customize you eUpdate settings, Virex does something pretty insecure. Instead of storing your username and password in the Keychain (a task that takes less than 100 lines of code to accomplish for store, retrieve, and update), they store it in a file. In the case of Virex 7.2, the file is stored in your user's ~/Library -> Preferences folder, in a file named VirexPrefs.vprF ... with the password and username in plain text!

In the case of Virex 7.5.1, the file is stored in /Library --> Preferences -> com.nai.virex75.prefs.plist with the username as plain text while the password is hashed. Note, though, that all users have access to this file, and while I am not sure how good the hash is, I do know that by simply copying the file to a second machine, you can have access to Virex updates from that second machine -- something that all users can do because all users have read access to the file.

This kind of careless disregard for the protection of a .Mac user's credentials -- hashed or not -- is inexcusable.

If you're a Virex user, please check for the above-listed files and delete them if you find your .Mac info in them. And to prevent their creation in the future, don't customize your eUpdate settings!

Comments (4)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20051016125950850