[tightsocks]

Surfing in Safari 3.2.1 on MacOS X 10.4.11 PPC all of a sudden the Adobe Reader plugin (9.1) started to load and then Safari quit.
I do believe that that is the classic symptom of the PDF drive-by exploit.

What should I do?

[auto_immune]

http://tinyurl.com/bvkuyl

[tightsocks]

There doesn't seem to be much info out there about how this issue affects MacOS X, except that Adobe has said that the issue involves all platforms.

Any Mac specific advice (non snarky) advice?

[Cold Warrior]

I really don't think you have enough evidence from this one crash to say it's a pdf exploit. Adobe Reader isn't the greatest application so it could have been just a corrupt pdf or lousy plugin code on Adobe's part.

Safari will load PDFs in the browser without the Adobe plugin. This will avoid vulnerabilities if you're concerned about them. Otherwise the version you're using -- 9.1 -- should have closed the known vulnerabilities. It was released just a few days ago IIRC.

[tightsocks]

Originally Posted by Cold Warrior 

I really don't think you have enough evidence from this one crash to say it's a pdf exploit. Adobe Reader isn't the greatest application so it could have been just a corrupt pdf or lousy plugin code on Adobe's part.

I was at a porn torrent search site that was loaded with banners when this happened. There was no reason for a PDF to have been loaded.
The only reason I knew that a PDF was trying to load was because I have AdobeReader javascript turned off and a dialog opened from the Reader plugin notifying that the PDF contains javascript and do I want to enable it.
Then Safari quit.

Is that enough to convince you?

Safari will load PDFs in the browser without the Adobe plugin. This will avoid vulnerabilities if you're concerned about them

True, but on Tiger native PDF display is not as robust.

Otherwise the version you're using -- 9.1 -- should have closed the known vulnerabilities. It was released just a few days ago IIRC.

That's what I though, but causing Safari to quit is part of the vulnerability...

[Cold Warrior]

Bad javascript could just have easily caused it to hang and crash. What happens in Firefox?

Recommendations:
Make sure your system is fully patched (OS X and assorted third-party software like Adobe).
Keep Reader's javascript set to off (as you've done).
Enable pop-up blocking in all your browsers.
Use an ad blocker like SafariBlock.

[tightsocks]

Originally Posted by Cold Warrior 

Bad javascript could just have easily caused it to hang and crash. What happens in Firefox?

I don't use FF because it is not a mac-like app.
And I'm not about to try to reproduce the issue.
I just spent the past day and a half rebuilding my system after an erase/install.

The thing is nobody here apparently believes that a Mac can ever get infected/rooted/etc.

My initial post was asking for advice on how to handle a likely (but unknown) infection/attack.
Instead we end up arguing about whether or not there really was an attack.

[Big Mac]

I'd say your best bet is to stop browsing "naughty" sites if you're going to be so paranoid. You're worrying about a threat (Mac rootkits) that is so implausible as to be nonexistent. Your reaction reads a lot like mine back when I was 13 and someone on The Palace told me they were able to infect my computer with a virus. But even then I didn't go running to a forum to post about it, and the fear passed after thinking about the situation for a few minutes.

[kmkkid]

Originally Posted by tightsocks 

I don't use FF because it is not a mac-like app.
And I'm not about to try to reproduce the issue.
I just spent the past day and a half rebuilding my system after an erase/install.

The thing is nobody here apparently believes that a Mac can ever get infected/rooted/etc.

My initial post was asking for advice on how to handle a likely (but unknown) infection/attack.
Instead we end up arguing about whether or not there really was an attack.

You did an erase and install because your browser crashed?

Perhaps you need to seek advice from a medical forum, not a Mac forum

There are no viruses that could have infected you.

There are a few trojans, but they are easily enough gotten rid of without re-installing your OS. (And you'd had to have authenticated for it to even install)

[tightsocks]

Originally Posted by kmkkid 

You did an erase and install because your browser crashed?

No, I did an erase and install because the circumstances of the crash strongly suggested that it was related to the Adobe PDF drive-by exploit which is known to cause the app to crash or allow the execution of arbitrary code with the privileges of the the user running the app (admin in this case).

Now, just because the app crashed does not mean that Mac specific hostile code was installed on my system. The attack could have been specific to WIndows or whatever.

Of course there are MacOS X rootkits and it is possible that the drive-by/crash did result in its installation.

Then again, if I has posted this on a WIn help forum there is a good chance that I would have been directed to appropriate tools to help me assess whether my system had been compromised.

I use a Mac, so I posted at MacNN and instead of helpful advice I get snarky responses and off-topic bickering about whether the drive-by even happened at all...

[kmkkid]

Originally Posted by tightsocks 

I use a Mac, so I posted at MacNN and instead of helpful advice I get snarky responses and off-topic bickering about whether the drive-by even happened at all...

Because

#1 You're being paranoid.

#2 You just posted this 1 month ago (http://forums.macnn.com/82/applicati...ve-by-exploit/).

AFAIK any current known OS X vulnerability requires the user to authenticate with an admins password to elevate rights and install.

You didn't say anything about authenticating so....

If you're that worried (and you seem to be, posting about this twice in a month) download most any Mac Anti-Virus software, it will search out known rootkits/viruses/trojans for Windows and Mac.

Oh, and stop visiting smut sites would also be a good start.

[JKT]

Originally Posted by kmkkid 

AFAIK any current known OS X vulnerability requires the user to authenticate with an admins password to elevate rights and install.

Then you would be completely wrong - any publicly acknowledged by Apple exploit perhaps, but that doesn't mean that there aren't known exploits that bypass authentication. The OP is right - too many here are behaving like head-in-the-sand, it-can't-happen-to-us fanboys instead of trying to be constructive (as is typical).

Fwiw, there is an alternative browser plugin on the Mac (PDF Browser Plug-in) from SchubertIT. It was finally updated to run on Intel Macs recently.

I have no idea if it is vulnerable to the same flaw(s) as Adobe's software (you'd have to consult with the developer to find that out), but it is another option to consider and arguably nicer to use than the Adobe plug-in.

[kmkkid]

Originally Posted by JKT 

Then you would be completely wrong - any publicly acknowledged by Apple exploit perhaps, but that doesn't mean that there aren't known exploits that bypass authentication. The OP is right - too many here are behaving like head-in-the-sand, it-can't-happen-to-us fanboys instead of trying to be constructive (as is typical).

Fwiw, there is an alternative browser plugin on the Mac (PDF Browser Plug-in) from SchubertIT. It was finally updated to run on Intel Macs recently.

I have no idea if it is vulnerable to the same flaw(s) as Adobe's software (you'd have to consult with the developer to find that out), but it is another option to consider and arguably nicer to use than the Adobe plug-in.

I haven't heard of any 'real world' 'in the wild' exploits that do, yet.

I'm not saying there isn't a way around, I just haven't heard of any in the wild yet.

No OS is 100% secure, but the OP is whining and acting like a paranoid nelly.

[JKT]

http://www.macnn.com/articles/09/03/....mac.exploits/

[Big Mac]

Old and highly misleading headline, JKT. It was talked to death days ago on the Mac Rumors forums.

[Chuckit]

Originally Posted by JKT 

http://www.macnn.com/articles/09/03/....mac.exploits/

That's a bit like a story that says "You can get AIDS just by touching people" — like, it's technically true, but the vague phrasing hides the fact that this is something we already know and isn't as big a threat as it sounds.

[kmkkid]

Originally Posted by JKT 

http://www.macnn.com/articles/09/03/....mac.exploits/

I'm sorry, where again is/are this/these exploit(s) in the wild?

Oh, it/they isn't/aren't?

Guess what?

I can turn sh!t into gold. And you have to believe me, cause it's on the internets, and therefore true!

[JKT]

My point is that exploits exist, not that they will take down all the Macs in the world in one fell swoop. You can all put your head's in the sand and pretend that they don't, but they do and they are out there in the wild. They might not be the mass exploits that Windows suffers from, and are currently limited to individual machines to which you have physical or network access, but that doesn't provide any succour if you are deploying Macs in an enterprise environment or in public. Ffs, you could crack into a Mac with a few keystrokes in the OS X 10.2 days due to a huge flaw in the screen saver password protection:

Apple's Mac OS X screensaver apparently contains a buffer overflow vulnerability that causes the screensaver to dump not requiring the user to enter a legitimate username and password.

When enabling the password protection on the Mac OS X screensaver users are required to authenticate before leaving the screensaver to gain access to the desktop again. Delfim Machado notified Apple that he had learned of a bug that caused the screensaver to exit without properly authenticating. The vulnerability was discovered when he held down a key on his keyboard for more than five minutes then pressed enter.

Prediction - Charlie Miller is going to be 100% spot-on in his prediction that the Mac will be the first to fall in the upcoming CanSecWest hacking contest, just like it was last year. Why? Because it is eminently exploitable.

[kmkkid]

Originally Posted by JKT 

My point is that exploits exist, not that they will take down all the Macs in the world in one fell swoop. You can all put your head's in the sand and pretend that they don't, but they do and they are out there in the wild. They might not be the mass exploits that Windows suffers from, and are currently limited to individual machines to which you have physical or network access, but that doesn't provide any succour if you are deploying Macs in an enterprise environment or in public. Ffs, you could crack into a Mac with a few keystrokes in the OS X 10.2 days due to a huge flaw in the screen saver password protection:



Prediction - Charlie Miller is going to be 100% spot-on in his prediction that the Mac will be the first to fall in the upcoming CanSecWest hacking contest, just like it was last year. Why? Because it is eminently exploitable.

I think you've missed the point.

The OP was talking about a specific exploit. Not an exploit where you had access to his Mac.

Most everyone knows that there are holes in every OS. I was simply telling the OP he was paranoid over this specific issue, and that wiping his system for a non-issue was incredibly stupid.

[JKT]

From what I read the OP also admits that what they were doing at the time was browsing content that is a notorious vector for the distribution of malware - including malware for the Mac. If it had been me I probably would have taken similar action myself and been paranoid about the possible implications of what had happened. Yet the responses they are getting are the typical "ooh, Apple can do no wrong, OS X is perfectly safe from exploits and malware because none exists - you are an idiot for daring to think otherwise" reaction.

I despair ...

[JTh]

What would you like us to tell the OP?

He jumped to the conclusion that it was a drive-by PDF, when it could have been a plethora of other things. You couldn't possibly tell me that Safari has never, ever crashed on you.

What he could have done, since he's clearly skilled at reinstalls, is installed a fresh copy, applied all the updates, but not restore any personal files. Then, revisit the same website to see if it happens again.

[sek929]

Torrenting porn? Why? Got a lot of offline wanking to do or something?

Pornhub dot com, you can thank me later.

[JKT]

Originally Posted by JTh 

What would you like us to tell the OP?

He jumped to the conclusion that it was a drive-by PDF, when it could have been a plethora of other things. You couldn't possibly tell me that Safari has never, ever crashed on you.

What he could have done, since he's clearly skilled at reinstalls, is installed a fresh copy, applied all the updates, but not restore any personal files. Then, revisit the same website to see if it happens again.

...and that is the kind of helpful advice that the OP should have received instead of being treated like an idiot by people choosing to be ignorant of the threats to and the vulnerabilities of their platform. Cold Warrior at least tried to help but the others?

Fwiw:

http://www.computerworld.com/action/...c=news_ts_head

The Mac was owned in 10 seconds this time. 10 ****ing seconds.

[Chuckit]

Ten seconds + years of preparation, maybe. It's not good, but the length of time it took the exploit to run is fairly meaningless.

[JKT]

Btw, potentially no admin password entry was required by the sound of things, though the description of the crack is minimal at the moment owing to the rules of the competition:

The security hole, which Miller said he discovered last year, allows a remote attacker to gain control of a machine simply by getting the computer user to click on a malicious URL, as Miller demonstrated.
"It's not easy, but this worked with one click" from the Safari browser, he said.

[JKT]

Originally Posted by Chuckit 

Ten seconds + years of preparation, maybe. It's not good, but the length of time it took the exploit to run is fairly meaningless.

10 seconds strongly implies that the only user interaction needed was to click the link. That is most certainly "not good" and how much preparation was required is meaningless to the person whose machine was just cracked.

[JKT]

http://www.macworld.com/article/1395...?lsrc=rss_main