 |
 |
OS X Address Book, security, virii
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
As society has been plauged with yet another virus (MyDoom I think is what it is called), and its new variant, I've been thinking about the security implementations within the OS X Address Book. Clearly, it's possible to write a virus for OS X in the form of an Applescript or something that will wipe a drive or at least mess stuff up, but the key to widespread damage is propogation.
The Address Book API was announced for 10.2. Somebody please correct me if my following assumptions are off...
An API isn't a "key" into something so that programs can just do whatever they want, it is a set of structured programming routines that can be called, yielding a very specific result. For instance, many apps in OS X are able to bring up the Address Book panel to select an address (e.g. Mail, Fax, etc.). I think Apple did a good job with providing a consistent panel that is accessible and system-wide.
I'm sure that the API doesn't include instructions for "extract all email addresses", or at least I would hope not (somebody please tell me this is so). The way an actual user would mass-mail would be to setup a group within their Address Book. Can programs create an Address Book group on the fly, automatically include everybody in this group, and send mail to the group? I would also hope not, and would presume not.
I would appreciate hearing from somebody who has programming experience with the Address Book API, and having my assumptions confirmed or denied.
If I'm bang on, it appears nearly impossible to create an OS X virus that would have wide-spread damage, aside from possible instant messager exploits. With iChat being included with OS X and most people presumably using it, I feel pretty comfortable knowing that Apple probably hasn't designed any gaping security holes into it.
When PC users present the tired argument of "Macs don't have viruses because they don't have a large marketshare", an argument against them is not only the idea that the amount of viruses we have is not proportional to our marketshare, but also that it seems to be impossible to propogate virii through Mail.
That is, assuming I'm right!
So... why doesn't Windows just close off its Address Book so that these stupid virii can't just rampage through them?
(Last edited by besson3c; Jan 28, 2004 at 10:18 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2003
Location: ~/
Status:
Offline
|
|
I think is technically possible to send someone an AppleScript app that could potentially propagate itself via the addresses stored in the address book, but I don't think it can happen without being visible to the user. On Windows, it can happen without spawning any windows. On MacOS X, unless I'm wrong, you'd actually see the script at work, and notice right away your computer doing "stuff" without you.
Plus, a 'script could not install a trojan deeply in to the OS without the user being prompted for an admin password. The damage would be limited to just the user's account (another good reason not to have 'root' enabled).
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally posted by Cadaver:
I think is technically possible to send someone an AppleScript app that could potentially propagate itself via the addresses stored in the address book, but I don't think it can happen without being visible to the user. On Windows, it can happen without spawning any windows. On MacOS X, unless I'm wrong, you'd actually see the script at work, and notice right away your computer doing "stuff" without you.
Plus, a 'script could not install a trojan deeply in to the OS without the user being prompted for an admin password. The damage would be limited to just the user's account (another good reason not to have 'root' enabled).
So are you certain that an Applescript can be written to extract all addresses from the Address Book? Can an Applescript setup a SMTP server and mail stuff?
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Originally posted by besson3c:
So are you certain that an Applescript can be written to extract all addresses from the Address Book? Can an Applescript setup a SMTP server and mail stuff?
It can. As far as that goes, it is theoretically possible to write a program which does the same sort of thing as a Microsoft e-mail worm.
However, there is one critical difference: it has no way to automatically run. The reason Microsoft e-mail worms spread so quickly is because the idiots at Microsoft set Outlook to automatically open attachments as soon as they're downloaded. You have no chance to look and see if they might be suspicious.
The problem with the Windows/Outlook combination isn't the open Address Book API. There are plenty of other ways to harvest e-mail addresses from a hard disk. For example, a worm could scan the user's hard drive for bookmarks.html files (which almost everyone has), then go to those pages and scrape them for e-mail addresses. So an open API doesn't really make you less secure; it just makes worms a tiny bit easier to write. Automatically running untrusted code, as Outlook does, is what makes you less secure.
That's the real security issue with Outlook (and Entourage as well). No other e-mail clients, on Mac, Windows, Linux, or otherwise, automatically open attachments. This is why only Outlook and Entourage are susceptible to these e-mail worms. Even Hotmail is immune. Actually, "immune" is not quite the right term; the worm just don't automatically spread. If you were to manually run the attachment and had anyone in your Outlook Address Book, the worm would activate just as if Outlook had run it. But luckily, most users aren't tricked like that.
Finally, it should be noted that although no one has yet written an e-mail worm which uses the OSX Address Book, an e-mail worm was written for the Mac once, back in the late days of OS9. It used Entourage's Address Book (which was also scriptable), and because Entourage was the only client to auto-open attachments, only it was susceptible.
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally posted by Millennium:
It can. As far as that goes, it is theoretically possible to write a program which does the same sort of thing as a Microsoft e-mail worm.
However, there is one critical difference: it has no way to automatically run. The reason Microsoft e-mail worms spread so quickly is because the idiots at Microsoft set Outlook to automatically open attachments as soon as they're downloaded. You have no chance to look and see if they might be suspicious.
The problem with the Windows/Outlook combination isn't the open Address Book API. There are plenty of other ways to harvest e-mail addresses from a hard disk. For example, a worm could scan the user's hard drive for bookmarks.html files (which almost everyone has), then go to those pages and scrape them for e-mail addresses. So an open API doesn't really make you less secure; it just makes worms a tiny bit easier to write. Automatically running untrusted code, as Outlook does, is what makes you less secure.
That's the real security issue with Outlook (and Entourage as well). No other e-mail clients, on Mac, Windows, Linux, or otherwise, automatically open attachments. This is why only Outlook and Entourage are susceptible to these e-mail worms. Even Hotmail is immune. Actually, "immune" is not quite the right term; the worm just don't automatically spread. If you were to manually run the attachment and had anyone in your Outlook Address Book, the worm would activate just as if Outlook had run it. But luckily, most users aren't tricked like that.
Finally, it should be noted that although no one has yet written an e-mail worm which uses the OSX Address Book, an e-mail worm was written for the Mac once, back in the late days of OS9. It used Entourage's Address Book (which was also scriptable), and because Entourage was the only client to auto-open attachments, only it was susceptible.
Hmmm....
I thought MS patched Outlook to not automatically execute attachments a long time ago? Are people being infected simply from not having bothered to patch their systems, or am I wrong yet again? 
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Apr 1999
Location: Copenhagen, Denmark
Status:
Offline
|
|
Originally posted by besson3c:
Hmmm....
I thought MS patched Outlook to not automatically execute attachments a long time ago? Are people being infected simply from not having bothered to patch their systems, or am I wrong yet again?
MyDoom (AFAIK) requires that people open the attachment.
But the email part of MyDoom isn't really the virus because it also installs stuff on your computer that automatically attacks SCO.
|
|
JLL
- My opinions may have changed, but not the fact that I am right.
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Originally posted by besson3c:
Hmmm....
I thought MS patched Outlook to not automatically execute attachments a long time ago? Are people being infected simply from not having bothered to patch their systems, or am I wrong yet again?
That's part of it.
The other part of the problem is that they didn't remove auto-execution of attachments outright; they turned it into a preference. A lot of users, not knowing any better, turn it back on. My wife's school district was hit hard by SoBig because of this.
Microsoft should simply have removed the capability completely, no ifs, ands, or buts. They didn't, and we all suffer for it.
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2001
Location: Manchester,UK
Status:
Offline
|
|
Originally posted by Millennium:
That's part of it.
The other part of the problem is that they didn't remove auto-execution of attachments outright; they turned it into a preference. A lot of users, not knowing any better, turn it back on. My wife's school district was hit hard by SoBig because of this.
Microsoft should simply have removed the capability completely, no ifs, ands, or buts. They didn't, and we all suffer for it.
But thats because MS made the option dumb. If you have the 'Do not allow attachments to be saved or opened that could potentially be a virus' ticked than you can't even recive any attachments at all. So if someone sends you a Word file they want you to read or a picture for there website, then it flags it as 'this email may contain a virus' and there is no way of even seeing the attachment at all. The only way to recive anything (other than text) via email is to unselect that option.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Oct 1999
Location: San Jose, Ca
Status:
Offline
|
|
The problem is that Microsoft programmed much of their base code with the assumption that everything was to be trusted: the network, email, etc... and they made it so everything could be scripted, after all, your network administrator should be able to send you an email that would change your settings, right?
Now that everyone knows that this was a bad idea, Microsoft has to somehow go back and change all of those decisions, and do so in a way that does not break all of the systems people have in place that use the old behaviors.
This is another case where Microsoft makes bad decisions to begin with (because they are driven by the marketing department), and everyone pays for the patches to try and fix things.
|
|
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Dec 2002
Status:
Offline
|
|
Finally, it should be noted that although no one has yet written an e-mail worm which uses the OSX Address Book, an e-mail worm was written for the Mac once, back in the late days of OS9. It used Entourage's Address Book (which was also scriptable), and because Entourage was the only client to auto-open attachments, only it was susceptible.
This is absolutely incorrect. No version of Entourage has ever automatically launched attachments. The only worm to affect Entourage was "Mac.Simpsons" and it relied on the user to open the attachment manually (the worm was a compiled read-only AppleScript). The worm proported to be a link to a Simpsons site, and in fact opened the user's browser to a site, but at the same time mass mailed itself and installed itself as a OS 9 Startup Item.
That worm could just as easily have been written for Eudora or OS X Mail/Address Book, both of which have sufficient AppleScript interfaces to allow such a worm to be written.
Entourage and Outlook are not the same thing and do not share the same vulnerabilities.
As fun as it is to bash MS for MyDoom and its cousins, the truth is that these worms rely on the user to open the attachments. As JLL points out, MyDoom does not rely on Outlook's fabled (and long since patched) tendency to auto-open attachments due to malicious code interpreted by the Preview pane.
Its a social engineering attack, and Macs are just as susceptible. A competent OS X programmer could create a MyDoom variant for OS X Mail in about an hour. It would still require the user to open the attachment, but there are ways to hide a malicious attachment as a document or other innocuous file.
The rule of thumb for email attachements holds just as true for Macs as it does for Windows. Don't open attachments from unknown sources.
More info on Mac.Simpsons:
http://www.macintouch.com/simpsonsvirus.html
http://www.symantec.com/avcenter/ven...mpsons@mm.html
Alex
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Originally posted by Basilisk:
This is absolutely incorrect. No version of Entourage has ever automatically launched attachments. The only worm to affect Entourage was "Mac.Simpsons" and it relied on the user to open the attachment manually (the worm was a compiled read-only AppleScript). The worm proported to be a link to a Simpsons site, and in fact opened the user's browser to a site, but at the same time mass mailed itself and installed itself as a OS 9 Startup Item.
That worm could just as easily have been written for Eudora or OS X Mail/Address Book, both of which have sufficient AppleScript interfaces to allow such a worm to be written.
Entourage and Outlook are not the same thing and do not share the same vulnerabilities.
As fun as it is to bash MS for MyDoom and its cousins, the truth is that these worms rely on the user to open the attachments. As JLL points out, MyDoom does not rely on Outlook's fabled (and long since patched) tendency to auto-open attachments due to malicious code interpreted by the Preview pane.
Its a social engineering attack, and Macs are just as susceptible. A competent OS X programmer could create a MyDoom variant for OS X Mail in about an hour. It would still require the user to open the attachment, but there are ways to hide a malicious attachment as a document or other innocuous file.
The rule of thumb for email attachements holds just as true for Macs as it does for Windows. Don't open attachments from unknown sources.
More info on Mac.Simpsons:
http://www.macintouch.com/simpsonsvirus.html
http://www.symantec.com/avcenter/ven...mpsons@mm.html
Alex
I agreed with everything you wrote until you said that Macs are just as susceptible. We have yet to establish whether an Applescript can rip through the OS X AddressBook. extract email addresses, and send to those addresses.
There were some people here who *believe* that at least part of this is possible, but I'm not so certain this is correct. Not only would the script need to be able to access the Address Book in this manner, but it would need to setup a SMTP server to send the mail with. Since the receiving server would need to have a full conversation with the sender, I would imagine that the SMTP server would need to be run as a daemon. Can this be done without root access? Can Applescripts authenticate and become root? Would the social engineering work if opening an attachment required people to enter their password, and ignore a big old warning from OS X Mail that the attachment they are clicking on is an executable, and not a jpg?
I could be completley wrong about all of this, but unless you have the answers to these questions, I don't think it is safe to presume that Macs are just as susceptible. If it was purely social enginerring and numbers, then how come 5% of the viruses aren't written for Macs?
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
Originally posted by besson3c:
I agreed with everything you wrote until you said that Macs are just as susceptible. We have yet to establish whether an Applescript can rip through the OS X AddressBook. extract email addresses, and send to those addresses.
I don't know if AppleScript can do it or not, but I can tell you that I could write a Cocoa app to do it in about 20 lines of code. The compiled binary would be as small as an AppleScript and would work in much the same manner if someone double-clicked it.
There is NOTHING to stop social engineering, nor can there be without inconveniencing users.
|
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Dec 2002
Status:
Offline
|
|
I agreed with everything you wrote until you said that Macs are just as susceptible. We have yet to establish whether an Applescript can rip through the OS X AddressBook. extract email addresses, and send to those addresses.
I admit I'm not at my Mac right now, so I can't check the AddressBook AppleScript interface, but one need not limit worm writers to AppleScript. The address book is available from C/Objective-C APIs.
http://developer.apple.com/documenta...l/AddressBook/
Want a list of every person in the book?
http://developer.apple.com/documenta...01542/CJBGECCG
There were some people here who *believe* that at least part of this is possible, but I'm not so certain this is correct. Not only would the script need to be able to access the Address Book in this manner, but it would need to setup a SMTP server to send the mail with. Since the receiving server would need to have a full conversation with the sender, I would imagine that the SMTP server would need to be run as a daemon. Can this be done without root access?
You're presuming that the worm would not just use the scripting interface to the user's own mail client to generate the messages. That's probably a reasonable assumption. Most users probably wouldn't tolerate a bunch of message windows opening/closing as the worm did its work.
I'd have to check to see if there's a way to have Mail/Entourage/Eudora silently send mail (no visible window for the user). It might be possible, but let's assume its not and agree that the worm needs its own SMTP engine.
An outbound SMTP session does not require root access. Evidence of this can be found in the fact that your own mail client doesn't require root access to send mail.
An SMTP daemon would require root access, but that is for inbound traffic. Root is required to bind on port 25 (the inbound port). Since the worm is send-only it does not require inbound traffic to work.
There are many networks/ISPs that block outbound traffic to port 25 to prevent random machines from sending SMTP traffic except through their approved outbound servers. This is a problem only to the extent that it requires the worm to read the user's own mail client's outbound SMTP information. Entourage exposes this information to AppleScript/AppleEvents. I don't know if Mail does as well, but I suspect that the values are stored in Mail's own preference file anyway, which any program can read.
If the user uses an SMTP-AUTH outbound connection the worm is probably dead. It would need the password from the Keychain, and Keychain access is app-specific so the worm wouldn't be able to read it. But this isn't that much of an obstacle. SMTP-AUTH isn't as widely used as it probably should be (my own ISP doesn't require it).
I'll back off my earlier assertion. Its not a 1 hour hack, but I bet it could be done in a few days.
Can Applescripts authenticate and become root?
They can if the user types a password, but remember, root is not required to send mail. And I'm assuming a Objective-C worm now anyway.
Would the social engineering work if opening an attachment required people to enter their password, and ignore a big old warning from OS X Mail that the attachment they are clicking on is an executable, and not a jpg?
Social-engineering lives or dies by the decisions the user makes. Mail's dialog is a good safety precaution, and it certainly keeps the user informed. But sometimes users make bad decisions.
Any current version of Outlook will present a very similar warning about attachments to the user. MyDoom still seems to be flourishing. Why? Becuase it successfully masks its intent through clever message content (looks like a mail bounce or a binary encoded message). Its a zip file, which users (and many server-based attachment precautions) generally treat as safe. Its the executable inside the zip file that's the danger. Users should be smarter than that, but they seem to be clicking it anyway.
Remember that it doesn't need to fool everyone. Just enough to keep sending itself out. A 1% hit rate is enough to keep it viable for a while.
If it was purely social enginerring and numbers, then how come 5% of the viruses aren't written for Macs?
There's no easy answer to this, and I think that there are probably a million opinions, many correct. My personal take is that: - OS X/UNIX is generally better designed and more secure. It is harder for a worm to spread without requiring the user to type a keychain or root password. It is harder to install an "invisible" startup item without root. It is harder to do system-level damage without root.
- OS X mail applications (including both Mail and Entourage) make it harder for a simple script to send mail silently.
- The smaller marketshare makes for a less attractive target if you want to make a big splash.
- OS X mail applications have never had the "auto-launch" holes of Outlook, so there was never an opportunity for those to spread and its not possible to increase your worm propagation rate by preying on users who haven't updated their software.
- The smaller marketshare makes a low-volume worm less survivable. A 1% hit rate is a lot fewer sent mails in the OS X userbase than it is in Windows.
- There's not a lot of preexisting code to adapt. A lot of the Windows worms are repeated variations on the same codebase. Not everyone unleashing a Widnows worm is capable of doing so from scratch. OS X would require (today at least) writing from scratch.
Alex
(Last edited by Basilisk; Jan 29, 2004 at 02:05 PM.
)
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
I completely overlooked Objective-C, or any other object-oriented language, because I figured that your script kiddie is going to want to use a scripting language, not something more robust. If Objective-C is required to do this, surely this is a bit of a deterent.
An outbound SMTP session does not require root access. Evidence of this can be found in the fact that your own mail client doesn't require root access to send mail.
An SMTP daemon would require root access, but that is for inbound traffic. Root is required to bind on port 25 (the inbound port). Since the worm is send-only it does not require inbound traffic to work.
But in order to send mail, you are either going to need to use Sendmail or Postfix, both which require root access to enable, right? As far as a simple propietary outgoing mail engine, I suppose that is possible, but without one you'll need to know the outgoing mail server, and you'll need to engineer the email to satisfy the restrictions/config of the ISP's SMTP server.
I'll back off my earlier assertion. Its not a 1 hour hack, but I bet it could be done in a few days.
Sure, anything is possible, but it's clearly a lot harder. It's also a lot harder to make virus creation wizards, and harder for 14 year olds to write.
They can if the user types a password, but remember, root is not required to send mail. And I'm assuming a Objective-C worm now anyway.
How many Windows viruses are written in object oriented languages?
There's no easy answer to this, and I think that there are probably a million opinions, many correct. My personal take is that: - OS X/UNIX is generally better designed and more secure. It is harder for a worm to spread without requiring the user to type a keychain or root password. It is harder to install an "invisible" startup item without root. It is harder to do system-level damage without root.
- OS X mail applications (including both Mail and Entourage) make it harder for a simple script to send mail silently.
- The smaller marketshare makes for a less attractive target if you want to make a big splash.
- OS X mail applications have never had the "auto-launch" holes of Outlook, so there was never an opportunity for those to spread and its not possible to increase your worm propagation rate by preying on users who haven't updated their software.
- The smaller marketshare makes a low-volume worm less survivable. A 1% hit rate is a lot fewer sent mails in the OS X userbase than it is in Windows.
- There's not a lot of preexisting code to adapt. A lot of the Windows worms are repeated variations on the same codebase. Not everyone unleashing a Widnows worm is capable of doing so from scratch. OS X would require (today at least) writing from scratch.
Alex [/B]
I agree with all of these points!
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Originally posted by besson3c:
How many Windows viruses are written in object oriented languages?
Almost all of them, if you count Visual Basic as an object-oriented language (there is some controversy about this).
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Dec 2002
Status:
Offline
|
|
I completely overlooked Objective-C, or any other object-oriented language, because I figured that your script kiddie is going to want to use a scripting language, not something more robust. If Objective-C is required to do this, surely this is a bit of a deterent.
Perhaps, but there is reasonable evidence that not all worms are written by the oft-blamed "script kiddie". Some are very sophisticated attacks. The fact that they are often written in scripting languages is not a measure of their relative complexity, or the technical qualifications of the malicious programmer.
In any case, probing the address book is 20 lines or less of C code. This is something a bright person (14-year old or not) could easily learn.
But in order to send mail, you are either going to need to use Sendmail or Postfix, both which require root access to enable, right?
Nope, neither are required to make an outgoing SMTP connection. Root is not required.
Again, your mail client sends email everyday without a local copy of sendmail or postfix being involved, nor is root required.
As far as a simple propietary outgoing mail engine, I suppose that is possible, but without one you'll need to know the outgoing mail server, and you'll need to engineer the email to satisfy the restrictions/config of the ISP's SMTP server.
As I mentioned before, all that is required is the address of the ISP outgoing SMTP server. This information is available in pref files the worm can read (and likely from AppleEvent interfaces as well).
As for a built-in SMTP engine, a three word Google search found 4 implementations that could be used on the first 2 result pages alone. There are hundreds (if not thousands) of SMTP implementation samples. Its not hard to write your own, and this is actually a common strategy for recent Windows worms.
How many Windows viruses are written in object oriented languages?
Almost all of them. Seriously. VBScript is one of the most common languages for Outlook worms and VBScript is an object-oriented language.
You're mistakenly conflating "object-oriented" with "difficult". You're also assuming that scripting languages are the preferred means to deliver a worm. Neither are true. Most scripting languages are object-oriented, and C worms are perfectly possible.
...and harder for 14 year olds to write.
Ignore the 14 year olds at your own peril. Bright young people drove development of a lot of the computing industry, and writing a worm doesn't require a driver's license or a college education. Its a simple exercise and there's a wealth of material available to help, all just a Google search away.
Alex
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
