Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > Mac OS X > Is Mac OS X really virus free?

Is Mac OS X really virus free?
Thread Tools
Fresh-Faced Recruit
Join Date: Jul 2008
Status: Offline
Reply With Quote
Oct 12, 2008, 05:25 PM
 
One of the reasons, and the main one, that I changed from a PC to a MAC is the invulnerability of MAC against viruses. Although, I have run into blogs that state that MAC computers can be infected with viruses. I even run into an antivirus software from Norton that it is for a MAC. Is it that Apple is using "virus free" as means to just sell more computers? Or is MAC really virus free? Any thoughts or information about this issue would be really interesting.
     
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status: Offline
Reply With Quote
Oct 12, 2008, 05:46 PM
 
Current virus count for Mac OS X: 0
Current worm count for Mac OS X: 0
Years of Mac OS X in service (including direct precursor NeXTstep): 20.

While it is theoretically possible for viruses or worms to be written for Mac OS X, various aspects of the system architecture make this very difficult, while for the only fairly easily writeable malware would be trojan horses, which always require user interaction (the system will warn of the first run of a downloaded application), and an admin password for anything really interesting. This makes automated distribution pretty much impossible, meaning they could never spread the wildfire way Windows viruses do.

Please search this forum for further information; this has been discussed up and down a dozen times over.
     
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
Oct 12, 2008, 05:51 PM
 
MAC = Media Access Control

Mac = Macintosh
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Oct 12, 2008, 08:33 PM
 
There are no viruses, trojans nor worms for OS X in the wild. Not because the OS is "invulnerable," but because so many very ignorant people use Windows, and Windows has plenty of holes in it through which to attack it. NOTHING is "invulnerable" if someone has enough time and patience to work at the problem long and hard enough. On the other hand, OS X is a very tough nut to crack in terms of arbitrarily executing code; it's built very differently from Windows, and as such lacks a number of the routes bad guys use to screw up computer users.

As analogika has mentioned, we have thoroughly hashed this subject out many times. It's not worth the time and effort it would take a real coder to build something that could really hurt OS X, and without a real coder building the tools, script kiddies (who "write" the vast majority of Windows bugs) are completely impotent. ...That's a nice thought there...

Glenn -----OTR/L, MOT, Tx
     
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status: Offline
Reply With Quote
Oct 12, 2008, 11:32 PM
 
Originally Posted by analogika View Post
Current virus count for Mac OS X: 0
Current worm count for Mac OS X: 0
Years of Mac OS X in service (including direct precursor NeXTstep): 20.
OSX.Leap.A is a worm for OS X.

Does unmodified NeXTstep code run on current Macs?
     
Mac Elite
Join Date: Oct 2000
Location: Seattle
Status: Offline
Reply With Quote
Oct 13, 2008, 03:57 AM
 
...script kiddies (who "write" the vast majority of Windows bugs) are completely impotent...
Actually the vast majority of Windows bugs are written by guys in Redmond. ;-)
You can take the dude out of So Cal, but you can't take the dude outta the dude, dude!
     
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Oct 13, 2008, 04:45 AM
 
Originally Posted by mduell View Post
OSX.Leap.A is a worm for OS X.
It's not a worm, AFAIK it's a trojan horse: it requires the user to accept a download, open the file and enter the admin password. There is only damage to the system if the admin password is entered.

In any case, there is no question that there will be malware for the Mac and the likelihood increases with popularity of OS X. Point is that virus programs can only protect you after malware has been released, not before. So far, with the exception of some trojan horses (download + admin password) and some proofs of concept, no significant virus has been released. Once there is a problem, there is also a market for virus scanners.
I don't suffer from insanity, I enjoy every minute of it.
     
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
Oct 13, 2008, 04:55 AM
 
I think both ghporter and OreoCookie have made excellent points.

And all theoretical differences aside, you should also consider the amount of actual damage caused by malware. On the Windows side there are the expenses for commercial antivirus software, the time lost by people re-installing their computers every so often due to malware, and/or big IT departments dealing with malware issues and trying to prevent damage due to the plethora of Win malware out there.

On the Mac side (and this pretty much goes for Linux as well) there's pretty much nothing comparable to that. You can get ClamXav for free. And since there's basically nothing malign in the wild the time/cost of dealing with malware on OS X is basically zero. I'm not saying this will always be the case. I'm actually pretty sure it could change if the Mac became very popular. So we certainly need to remain alert. But right now, it's absolutely evident that there's much less money and time required to keep Macs clean.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Oct 13, 2008, 05:37 AM
 
Originally Posted by mduell View Post
Does unmodified NeXTstep code run on current Macs?
I think it does, actually - if compiled for Intel and run on an Intel Mac. May be that any reasonably complicated program will rely on deprecated calls so it won't work anyway on Leopard, but there is no architectural reason why it won't. 68k code won't run, for obvious reasons, and that's what there was back at the beginning, so maybe 20 years is slightly misleading.

Leap.A was a trojan, but it was reported as a worm by certain antivirus companies that wanted to hawk their snakeoil. There was also a rootkit that I don't remember the name of that was also reported as a worm by those same companies. That one was at least borderline, as it tried to copy itself around, but it never tried to get the copies to start executing.
     
Fresh-Faced Recruit
Join Date: Oct 2008
Status: Offline
Reply With Quote
Oct 14, 2008, 09:35 PM
 
The count for Trojans, worms, and viruses that are actually a threat stands at Zero.

No doubt, eventually somebody will right a bug that does something, and Redmond will hail it as the end of Apple's universe, but Apple'll patch it, advertize how many viruses Microsoft handles in a year, and everyone will be along their merry way,
     
Mac Elite
Join Date: Oct 2000
Location: Seattle
Status: Offline
Reply With Quote
Oct 15, 2008, 03:39 AM
 
Come to think of it, when is the last time you heard about any virus in the news?

Things may get mentioned on the Internet, but for the nightly news It's been a couple of years.

With Xp service pack 2, ISPs securing their mail servers, and the trend toward broadband with a firewall in the router, we may have seen the end of wide scale destruction like the Iloveyou virus or the blaster worm.

We have a much more diverse and wary 'net ecosystem now, so things that take down half the Internet and knock whole businesses out for days may not be possible anymore.
You can take the dude out of So Cal, but you can't take the dude outta the dude, dude!
     
Dedicated MacNNer
Join Date: Jun 2006
Location: Chicago
Status: Offline
Reply With Quote
Oct 15, 2008, 10:30 AM
 
I think that the security are becoming more insidious:

Company puts NVIDA GPUs to work cracking wireless security

NVIDIA wants to see more software developers using CUDA, but password-cracking probably wasn't one of the GPU manufacturer's target markets. Software manufacturer and hack-friendly Elcomsoft, on the other hand, thinks the two are a perfect fit.
     
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Oct 15, 2008, 11:13 AM
 
Originally Posted by Darkfire26 View Post
The count for Trojans, worms, and viruses that are actually a threat stands at Zero.

No doubt, eventually somebody will right a bug that does something, and Redmond will hail it as the end of Apple's universe, but Apple'll patch it, advertize how many viruses Microsoft handles in a year, and everyone will be along their merry way,
There are a couple of trojans and one worm in existence, IIRC. But yeah, I'm not sure any exist in the wild.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Oct 15, 2008, 09:41 PM
 
Originally Posted by QSilver View Post
I think that the security are becoming more insidious:

Company puts NVIDA GPUs to work cracking wireless security

NVIDIA wants to see more software developers using CUDA, but password-cracking probably wasn't one of the GPU manufacturer's target markets. Software manufacturer and hack-friendly Elcomsoft, on the other hand, thinks the two are a perfect fit.
Note that this software takes a BUNCH of computers working together for it to work, and how many "casual hackers" are going to be likely to spend several thousand dollars to just crack people's wireless? Especially when so many ignorant (and I mean that in the nicest way, people who just don't know any better) users leave their wireless networks wide open? Plus, how many of those GPUs can you put in a mobile platform so you can go war driving? Finally, Elcomsoft's information about their hacking package talks a good talk about how quickly they can break keys of various kinds, but you'll notice that there is no referent for these numbers; they are effectively pulled out of some bodily orifice rather than being useful.

The encryption used in both WPA and WPA2 is computationally infeasible to break through any attack. That means that it would (even with Elcomsoft's product) take more computer power than is available EVERYWHERE and more time than the current age of the universe to run through all the changes available to the encryption algorithm. Even with tons of processing power, WiFi keys are inherently time-sensitive, making it useless to break a key five minutes after it's been used, because the key has changed since then and you're still left with nothing.

Glenn -----OTR/L, MOT, Tx
     
Posting Junkie
Join Date: Nov 2000
Location: in front of my Mac
Status: Offline
Reply With Quote
Oct 16, 2008, 03:05 AM
 
Originally Posted by Chuckit View Post
There are a couple of trojans and one worm in existence, IIRC. But yeah, I'm not sure any exist in the wild.
I was about to ask which worm that would be. Then I figured, let's just end this whole debate by listing what kind of malware actually exists for the Mac. A simple list with name(s) and type. When we end up with less than a dozen distinct entries that should answer most questions.

I know of two only.

OSX.Leap.A - trojan
DNSchanger / ultracodec1000 - trojan
     
Fresh-Faced Recruit
Join Date: Oct 2008
Status: Offline
Reply With Quote
Oct 16, 2008, 04:31 AM
 
I really enjoyed reading Gh's reply. Although it was more about "hacking" rather than viruses, it was very interesting.

I've used my same Mac for the last 5-6 years, have never bothered with internet security (and I frequent the internet a LOT!) - and I can proudly say until now I've still had no viruses or trojan do any damage to my Macintosh.

Lord Kryn
A proud Kongregatian.
     
Clinically Insane
Join Date: Apr 2000
Status: Offline
Reply With Quote
Oct 16, 2008, 05:00 AM
 
Originally Posted by Chuckit View Post
There are a couple of trojans and one worm in existence, IIRC. But yeah, I'm not sure any exist in the wild.
If they don't exist "in the wild", they don't count, in my opinion. Clearly they've proved incapable of spreading, whether that was the intention of their creation or not.
     
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status: Offline
Reply With Quote
Oct 16, 2008, 07:02 AM
 
Originally Posted by Simon View Post
I was about to ask which worm that would be. Then I figured, let's just end this whole debate by listing what kind of malware actually exists for the Mac. A simple list with name(s) and type. When we end up with less than a dozen distinct entries that should answer most questions.

I know of two only.

OSX.Leap.A - trojan
DNSchanger / ultracodec1000 - trojan
Then there was InqTana - which turned out to be a trigger-happy security company (Sophos) jumping the gun, and not an actual worm - , and

SH/Renepo, which I've also only seen reported by Sophos, and only as a concept, not something out in the wild. That was in 2004, and oddly, noone ever heard from it again.
     
Fresh-Faced Recruit
Join Date: Aug 2000
Location: Edmonton, Alberta, Canada
Status: Offline
Reply With Quote
Oct 16, 2008, 07:03 AM
 
Originally Posted by ghporter View Post
Note that this software takes a BUNCH of computers working together for it to work, and how many "casual hackers" are going to be likely to spend several thousand dollars to just crack people's wireless? Especially when so many ignorant (and I mean that in the nicest way, people who just don't know any better) users leave their wireless networks wide open? Plus, how many of those GPUs can you put in a mobile platform so you can go war driving? Finally, Elcomsoft's information about their hacking package talks a good talk about how quickly they can break keys of various kinds, but you'll notice that there is no referent for these numbers; they are effectively pulled out of some bodily orifice rather than being useful.

The encryption used in both WPA and WPA2 is computationally infeasible to break through any attack. That means that it would (even with Elcomsoft's product) take more computer power than is available EVERYWHERE and more time than the current age of the universe to run through all the changes available to the encryption algorithm. Even with tons of processing power, WiFi keys are inherently time-sensitive, making it useless to break a key five minutes after it's been used, because the key has changed since then and you're still left with nothing.
Well, perhaps it does invalidate passwords that are short and use a small character set. And the only likely target will be some kind of corporate espionage type situation. (GM employee in parking of Toyotas design studio parking lot capturing wireless packets for later decryption)

So if you are protecting something valuable it's a concern. If you do not follow good practises with your password generation then you are vulnerable.

Here is a good random generator for a new password to use for WPA keys.
https://www.grc.com/passwords.htm

I suggest you just stick the password on a USB key instead of worrying about typing it in.

So the release of that tool doesn't really change anything. WPA is still secure but you can screw it up by using short passwords that only rely on small character sets. Basically this means if your password was fairly short before then maybe you should make it just a bit long. eg. 10 character password now takes as long as an 8 character password used to take to crack. Because each letter doubles the complexity of cracking it doesn't really make a huge difference except in those edge cases where the password was sufficiently short that using brute force to crack it was feasible. If your WPA password is already at the maximum 63 character length you have no worried due to this new GPU based brute force method. (Large Multi qubit quantum computers are another story but they still do not exist)
     
Mac Elite
Join Date: Oct 2008
Location: UKland
Status: Offline
Reply With Quote
Oct 19, 2008, 02:14 PM
 
The fact that OS X IS virus free at the moment doesn't seem to stop some suppliers spotting an opportunity to sell new Mac owners a copy of one of the various anti virus applications available. Sadly the most common sale seems to be Norton. Probably because a lot of PC switchers recognise the name.

Once I have donned my ABC suit in order to approach Norton, it's lucky that Symantec have made a script avialablr that strips it all out via a terminal session.
     
Mac Elite
Join Date: Nov 2001
Status: Offline
Reply With Quote
Oct 20, 2008, 12:18 AM
 
Originally Posted by ghporter View Post
There are no viruses, trojans nor worms for OS X in the wild. Not because the OS is "invulnerable," but because so many very ignorant people use Windows, and Windows has plenty of holes in it through which to attack it. NOTHING is "invulnerable" if someone has enough time and patience to work at the problem long and hard enough. On the other hand, OS X is a very tough nut to crack in terms of arbitrarily executing code; it's built very differently from Windows, and as such lacks a number of the routes bad guys use to screw up computer users.

As analogika has mentioned, we have thoroughly hashed this subject out many times. It's not worth the time and effort it would take a real coder to build something that could really hurt OS X, and without a real coder building the tools, script kiddies (who "write" the vast majority of Windows bugs) are completely impotent. ...That's a nice thought there...
I could write a trojan in 5 seconds. Create a bash script... two lines:

#!/bin/bash
rm -rf ~

And save it. Set the executable bit, call it "Office 2008 Installer" and off you go; a trojan that when clicked will obliterate a users' entire home directory.

Trojans do exist. You can't protect against them -- user stupidity can be involved. Worms and viruses are tricker. And trojans would be require a password to affect the system outside a user's home directory (though of course the worst thing IMO to happen would be to lose 100% of your data... you can rebuild a system but not your data if you don't have a backup... and I've seen the cries of some people who have ignored that advice).
     
zro
Mac Elite
Join Date: Nov 2003
Location: The back of the room
Status: Offline
Reply With Quote
Oct 20, 2008, 02:56 AM
 
Originally Posted by que_ball View Post
Well, perhaps it does invalidate passwords that are short and use a small character set. And the only likely target will be some kind of corporate espionage type situation. (GM employee in parking of Toyotas design studio parking lot capturing wireless packets for later decryption)

So if you are protecting something valuable it's a concern. If you do not follow good practises with your password generation then you are vulnerable.

Here is a good random generator for a new password to use for WPA keys.
https://www.grc.com/passwords.htm
Password generation is built into the system. Any where you see a widget with a key icon at a place you'll be saving a new password (System Prefs, Keychain Access, Disk Utility) clicking it will open the Password Assistant.


Speaking of malware...
'MacGuard' double-plus ungood, avoid - The Unofficial Apple Weblog (TUAW)
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Oct 20, 2008, 05:09 AM
 
Originally Posted by CatOne View Post
Trojans do exist. You can't protect against them -- user stupidity can be involved. Worms and viruses are tricker. And trojans would be require a password to affect the system outside a user's home directory
Alas, that isn't true and hasn't been true for nearly 4 years or longer - any OS X box can be rooted by any Trojan without the need for an admin password (unless you run a non-admin account by default):

http://www.rixstep.com/2/4/20080718,00.shtml
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Oct 20, 2008, 09:24 PM
 
Originally Posted by JKT View Post
Alas, that isn't true and hasn't been true for nearly 4 years or longer - any OS X box can be rooted by any Trojan without the need for an admin password (unless you run a non-admin account by default):

http://www.rixstep.com/2/4/20080718,00.shtml
Can you explain how the required startup item, which installs the proof of concept bug you link to, can be installed without authentication? Does this not still need a user to actively do something that allows the software to install and act?

Glenn -----OTR/L, MOT, Tx
     
Grizzled Veteran
Join Date: Mar 2004
Status: Offline
Reply With Quote
Oct 20, 2008, 09:40 PM
 
Originally Posted by ghporter View Post
Can you explain how the required startup item, which installs the proof of concept bug you link to, can be installed without authentication? Does this not still need a user to actively do something that allows the software to install and act?
The links at the bottom of that Rixstep article explain most of the mechanism(s).

You may also find this MacNN thread of interest:
How do I run a shell script on login?
[i sure did! ]
-HI-
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Oct 21, 2008, 04:16 AM
 
Originally Posted by ghporter View Post
Can you explain how the required startup item, which installs the proof of concept bug you link to, can be installed without authentication? Does this not still need a user to actively do something that allows the software to install and act?
I guess I don't need to given the link Hal Itosis prodives, but SLIPOC works the way rixstep says it will... and yes, it is truly un****ingbelievable that Apple STILL hasn't done anything about this.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Oct 21, 2008, 04:21 AM
 
Originally Posted by JKT View Post
I guess I don't need to given the link Hal Itosis prodives, but SLIPOC works the way rixstep says it will... and yes, it is truly un****ingbelievable that Apple STILL hasn't done anything about this.
Note that the piece is posted in July of this year - they've just checked that it works that way in older versions as well. Not clear if they reported it to Apple in advance or not.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Oct 21, 2008, 04:42 AM
 
Originally Posted by ghporter View Post
Can you explain how the required startup item, which installs the proof of concept bug you link to, can be installed without authentication? Does this not still need a user to actively do something that allows the software to install and act?
The thingy is that the /Library is chmod 775 root:admin (not root:wheel), meaning that anyone in the admin group can write to it. Apparently some files placed in that folder cause an execution of another file with root privileges. The author is shooting beside the goal by saying that the problem is that Library is 775 - that isn't the problem. The problem is that files in that directory can cause execution of stuff with root privileges.

They also imply that the fix is hard to implement. It's not - I see two options. Either 1) put that file inside a special directory inside /Library/Preferences - /Library/Preferences/Startup, say - and make that directory chmod 755 root:wheel, or 2) simply run items launched by it with lower privileges, like the "nobody" account used by httpd. Better yet - do 2) but let same file in /System/Library/Preferences run with root privileges.

Note that this is not a security hole per se. It's a way to avoid the extra password check before executing with root privileges.
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Oct 21, 2008, 05:08 AM
 
Originally Posted by P View Post
Note that the piece is posted in July of this year - they've just checked that it works that way in older versions as well. Not clear if they reported it to Apple in advance or not.
Apple were made aware of this hole several years ago (if you read the thread Hal Itosis links to, CharlesS reported it to them in 2005 and I doubt he was the first to do it). Still wide open, and this most definitely is a security hole per se. It means that any Trojan can run without the need to install anything requiring admin username and password, including itself, yet still be able to install their payload. The very last security mechanism of the OS that defends you against Trojans (the need to enter an admin username and password) is completely bypassed.

Also, if it is such a trivial fix, wtf hasn't Apple implemented it yet?
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Oct 21, 2008, 09:28 AM
 
Interesting. Yes, it's bad that they haven't fixed this.

The very last security mechanism of the OS that defends you against Trojans (the need to enter an admin username and password) is completely bypassed.
Well to be fair, under Leopard you also get a warning that the file you just downloaded is an executable, but if you thought that you just downloaded a friendly application, that won't help.

Also, if it is such a trivial fix, wtf hasn't Apple implemented it yet?
Hard to say. Possibly they have some sort of reasoning on how this is no big deal, or possibly the first bug that came in with this wrote "change Library to be chmod 755". That is never going to happen - it violates the entire model - but the two options I offered above should both work. I can come up with more, btw:

3) Making the /Library/Preferences directory sticky (meaning that only the owner of the directory, the owner of a file or root can delete a file in it). It should be sticky anyway.
4) Implementing more of the BSD flags and banning unlinking of that particular file.

Hm. Maybe I should file a bug on this to at least see the response they give.
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Oct 21, 2008, 09:12 PM
 
So you need physical access, or a computer that will save a file automatically (to the right place) without any authentication? It still sounds like it's "not that serious" in that if I have physical access to your computer you've lost already, whether I have your password or not.

Glenn -----OTR/L, MOT, Tx
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Oct 22, 2008, 03:49 AM
 
Originally Posted by ghporter View Post
So you need physical access, or a computer that will save a file automatically (to the right place) without any authentication? It still sounds like it's "not that serious" in that if I have physical access to your computer you've lost already, whether I have your password or not.
No, you just need to get someone to download a Trojan and execute it. Not very difficult to do - any third party app on your system right now could potentially be one - and no admin response is required at any point. Your system would be rooted and you would never know it and worse yet, you would have had absolutely no way of preventing it. How can that not be serious?
     
Grizzled Veteran
Join Date: Mar 2004
Status: Offline
Reply With Quote
Oct 22, 2008, 12:28 PM
 
Originally Posted by ghporter View Post
So you need physical access, or a computer that will save a file automatically (to the right place) without any authentication? It still sounds like it's "not that serious" in that if I have physical access to your computer you've lost already, whether I have your password or not.
 
Adding to what JKT said, check inside /Library/Documentation for any of these "documents":

$ find /Library/Documentation -type f -perm +111 -ipath '*\.app/*' |sed 's=^\(.*\)\.app/.*$=\1=' |uniq
/Library/Documentation/Applications/GarageBand/GarageBand Getting Started
/Library/Documentation/Applications/iDVD/iDVD Getting Started
/Library/Documentation/Applications/iMovie/iMovie 08 Getting Started
/Library/Documentation/Applications/iPhoto/iPhoto Getting Started
/Library/Documentation/Applications/iWeb/iWeb Getting Started
/Library/Documentation/iMovie/iMovie Getting Started
/Library/Documentation/License
/Library/Documentation/User Guides And Information.localized/Bluetooth Regulatory Certification

In Finder, they all appear to be pdf documents... but they're apps.

Similarly, with every iTunes download comes a "rtf doc" named 'Read Before You Install iTunes'.
The thing to note about these apps is: we can't delete the icon from a Finder Get Info window.
The phony document icon is inside the bundle and linked via CFBundleIconFile in the Info.plist
Also note: when launched, there is no bouncing icon in the Dock, and no visual indication of an
app running. Haven't tested it yet, but hopefully Leopard's quarantine attributes would still work.
[But what would it say? "This is something you downloaded." (?) ...duh. Most users dismiss it.]

It would be a simple matter for someone to hide a script inside one of those, and even have that
script open a real (internal) pdf or rtf, to distract the user [which is exactly what these apps do].
While the unsuspecting user reads the bogus document... the script runs in the background.
( Last edited by Hal Itosis; Oct 22, 2008 at 01:15 PM. )
-HI-
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Oct 23, 2008, 04:41 PM
 
I tried setting the sticky bit on /Library/Preferences earlier this week, and so far I have noticed no ill effects. There shouldn't be any, really. Setting the sticky bit on a directory means that deleting files is restricted. Files can only be removed by:

* The owner of the file
* The owner of the directory
* The superuser

In the particular case described here, root owns both the file and the directory, so only root can delete (or move, or rename) the file. That closes this particular hole.

You can set the sticky bit yourself with the command

sudo chmod +t /Library/Preferences

Running permissions repair will of course undo this change, so don't do that.

In the meantime, I've also filed a bug on this again, just to see what Apple will say.
     
Clinically Insane
Join Date: Dec 1999
Status: Offline
Reply With Quote
Oct 23, 2008, 05:53 PM
 
If you install Microsoft Office, you can get Word Macro Viruses which will be really annoying but don't hurt anything. The only one I've ever seen that actually somewhat worked in OS X would arbitrarily make all Word documents read only. It's a really old macro virus.

If you're asking because you don't know if you should buy antivirus software, it's good to have some sort of antivirus (except for Norton.) It's mostly a courtesy for your friends and colleagues because the software can also catch Windows viruses. This will help to stop the spread of email trojans, viruses, etc. even though they don't affect you personally.

I recommend Sophos antivirus. It's more expensive than McAfee and Norton, but it has a really small memory footprint and you wouldn't even know it's running except for the little blue shield in your menu bar. Unlike McAfee and Norton, it doesn't tell you have 5 minutes what a great job it's doing. Sophos is pretty seamless.
"…I contend that we are both atheists. I just believe in one fewer god than
you do. When you understand why you dismiss all the other possible gods,
you will understand why I dismiss yours." - Stephen F. Roberts
     
Posting Junkie
Join Date: Feb 2000
Location: Washington, DC
Status: Offline
Reply With Quote
Oct 24, 2008, 01:32 PM
 
Originally Posted by olePigeon View Post
It's mostly a courtesy for your friends and colleagues because the software can also catch Windows viruses. This will help to stop the spread of email trojans, viruses, etc. even though they don't affect you personally.
This is a great point. I've fallen for this trick before. Sure, my computer was fine, but the PC I forwarded the email along to caught hell.

I guess the trick is, you can make a computer fool proof, but you can't make it idiot proof. Trojans are always going to be around... you could make it so they wouldn't, but at that point, the computer would be useless.
     
Posting Junkie
Join Date: Feb 2005
Location: 888500128
Status: Offline
Reply With Quote
Oct 24, 2008, 01:59 PM
 
Originally Posted by olePigeon View Post
It's mostly a courtesy for your friends and colleagues because the software can also catch Windows viruses. This will help to stop the spread of email trojans, viruses, etc. even though they don't affect you personally.

I recommend Sophos antivirus. It's more expensive...
See, this is where it breaks down for me:

I am not responsible for other people's lack of judgement. If they choose to run Windows and choose NOT to maintain an appropriate level of system security, then that really isn't my problem, and certainly not something I can see impairing my system (let alone finances) for.

OTOH, if I'm a freelance <insert profession>, and my livelihood depends upon the benevolence of potentially Windows-using clients, then it absolutely makes sense to make *damn* sure that I don't pass along something infectious.
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Oct 25, 2008, 12:31 PM
 
Originally Posted by JKT View Post
No, you just need to get someone to download a Trojan and execute it. Not very difficult to do - any third party app on your system right now could potentially be one - and no admin response is required at any point. Your system would be rooted and you would never know it and worse yet, you would have had absolutely no way of preventing it. How can that not be serious?
Basically this still means that the user must cooperate rather than the situation with Windows where just visiting a malicious web site could install the trojan without the user's knowledge. Further, the user has to be convinced to download and run the malware.

While you're right that it's not that hard to do this, that's probably more because Mac users in particular tend to be very trusting, mostly because we've all been conditioned to think that Mac OS is invulnerable. Obviously that's not true, but we're talking about malware that really depends on social engineering here, and that in itself is not nearly the same as Windows malware that can insinuate itself into a computer without the user's help or knowledge. In comparison, this "proof of concept" gadget still lacks the level of virulence that would make it worrisome. At least at present.

Of course offering this sort of stuff up as a "viewer for secret Anna Kournikova pics" or other shill would be the first way I'd expect this sort of crap to start making Mac users miserable.

Glenn -----OTR/L, MOT, Tx
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Oct 27, 2008, 09:24 AM
 
Originally Posted by ghporter View Post
Basically this still means that the user must cooperate
That would be why it is called a Trojan and not a virus. The fact that it requires a user to download and run something does not excuse Apple from leaving a gaping security hole in their OS for over 4 years and for over 4 versions (Snow Leopard still has the same hole, apparently), especially when the vast majority of OS X users still run an admin account by default and are wide open to the exploit.

Comparison to Windows is pointless - god forbid any other OS gets close to being as bad as that pos; however, it still doesn't excuse Apple for getting OS X closer than it should be.
     
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Oct 27, 2008, 09:46 AM
 
I knew I made the right decision back in the Panther-era when I chose to stop running as Admin over a similar concern. It's a little bit more inconvenient when installing some types of software, but i appreciate the extra security.

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Oct 27, 2008, 12:34 PM
 
Originally Posted by Big Mac View Post
I knew I made the right decision back in the Panther-era when I chose to stop running as Admin over a similar concern. It's a little bit more inconvenient when installing some types of software, but i appreciate the extra security.
It should also be unnecessary to do so just to be able to run a secure system. Apple has a fundamental design flaw that they need to fix. Obviously, not many of us are holding our breaths on that ever happening.
     
P
Moderator
Join Date: Apr 2000
Location: Gothenburg, Sweden
Status: Offline
Reply With Quote
Oct 27, 2008, 01:54 PM
 
Originally Posted by JKT View Post
It should also be unnecessary to do so just to be able to run a secure system. Apple has a fundamental design flaw that they need to fix. Obviously, not many of us are holding our breaths on that ever happening.
The fix I implemented on my own - setting the sticky bit - will fix the bug, and so far I haven't seen anything negative about it (have been running for some time now, working as usual). This fix was obvious to me. I'm no l337 h4XX0r - I used to be a part-time sysadmin back at university ten years ago, but that's it. If it has been reported several times before as you say, I don't understand why they haven't done anything about it. Given that we now have ACLs to play with, it ought to be easy to set detailed privileges - the delete_child property looks appropriate, or the delete property on specific files - so that this bug is closed without modifying the design. Flawed or not - modifying the design is always politically tricky. Changing a setting so that the design is strictly adhered to is always easier.
     
Fresh-Faced Recruit
Join Date: Nov 2008
Status: Offline
Reply With Quote
Nov 20, 2008, 02:06 AM
 
I just purchased an iMac 24" Sat and I am getting to know it. I have two pc's one desktop and one laptop. Got tired of the websites freezing. So I changed to a iMac.

I also purchased Fusion2 which hasn't arrived yet and Windows XP Pro so that I can run my programs that iMac can't run because of the Windows platform.

My question is that since I would have a Windows platform open would I be able to get infected with a virus during this time? My understanding is that as long as I use Safari to connect to the Internet I shouldn't have any problem. Is this correct?

So far I love my new iMac. It has a really big screen and what a clear picture. Just like HD TV.

Thanks for your help in advance.

Phil
     
Posting Junkie
Join Date: May 2001
Location: Portland, OR
Status: Offline
Reply With Quote
Nov 20, 2008, 03:15 AM
 
Originally Posted by eialmeda View Post
One of the reasons, and the main one, that I changed from a PC to a MAC is the invulnerability of MAC against viruses. Although, I have run into blogs that state that MAC computers can be infected with viruses. I even run into an antivirus software from Norton that it is for a MAC. Is it that Apple is using "virus free" as means to just sell more computers? Or is MAC really virus free? Any thoughts or information about this issue would be really interesting.
Nortons for Mac really is just to repair viruses so they can't spread to a PC. A Mac can still spread stuff like Microsoft Office viruses to a PC, even if they won't do anything on the Mac.
8 Core 2.8 ghz Mac Pro/GF8800/2 23" Cinema Displays, 3.06 ghz Macbook Pro
Once you wanted revolution, now you're the institution, how's it feel to be the man?
     
Posting Junkie
Join Date: May 2001
Location: Portland, OR
Status: Offline
Reply With Quote
Nov 20, 2008, 03:17 AM
 
Originally Posted by goldenopt1 View Post
My question is that since I would have a Windows platform open would I be able to get infected with a virus during this time? My understanding is that as long as I use Safari to connect to the Internet I shouldn't have any problem. Is this correct?
If you get infected by a Windows virus it will only affect Windows. But yes, the Mac won't shield Windows from getting a virus.

Running Safari only is a good way to avoid getting Windows viruses. But really, most Windows viruses these days are trojans that come packaged with Windows programs. Just be sure that the Windows programs you are installing are up to snuff.
8 Core 2.8 ghz Mac Pro/GF8800/2 23" Cinema Displays, 3.06 ghz Macbook Pro
Once you wanted revolution, now you're the institution, how's it feel to be the man?
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Nov 20, 2008, 08:25 AM
 
Originally Posted by goMac View Post
If you get infected by a Windows virus it will only affect Windows. But yes, the Mac won't shield Windows from getting a virus.

Running Safari only is a good way to avoid getting Windows viruses. But really, most Windows viruses these days are trojans that come packaged with Windows programs. Just be sure that the Windows programs you are installing are up to snuff.
And run a free AV program like Clam AV for Windows. It can't hurt anything, it's free, and it protects you from the nasties pretty darn well.

Glenn -----OTR/L, MOT, Tx
     
Fresh-Faced Recruit
Join Date: Nov 2008
Status: Offline
Reply With Quote
Nov 20, 2008, 10:02 AM
 
Thanks. That helps a lot. Will do as you say and still learning the in's and out's of
my iMac.

Also, you wouldn't happen to know of a good external drive so I can do backups and transfer some of my files to the iMac. I have been looking at a Western Digital My Book Home Edition 1TB external drive. Its rated by reviews 4.3 out of 5. This is a first for me having an external drive.

Thanks,

Phil
     
Administrator
Join Date: Apr 2001
Location: San Antonio TX USA
Status: Offline
Reply With Quote
Nov 20, 2008, 11:12 AM
 
Originally Posted by goldenopt1 View Post
Also, you wouldn't happen to know of a good external drive so I can do backups and transfer some of my files to the iMac.
Take a look at the Consumer Electronics forum. There are a number of discussions about which drives are better for what purposes.

Glenn -----OTR/L, MOT, Tx
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Nov 20, 2008, 01:35 PM
 
Originally Posted by goMac View Post
If you get infected by a Windows virus it will only affect Windows.
Actually that is only true depending on the access you give Fusion (and therefore Windows) to your Mac file system, assuming it has equivalent features to Parallels (which is what I have experience with). In Parallels it is possible to allow Windows to see, mount and use your entire (Mac) Home directory from with Windows Explorer and, therefore, it is possible for Windows malware to gain access to your Mac files and do what it likes with them too, if you permit this level of access. Safer to be secure and choose the file access options carefully than it is to get the ease of use that the features provide.
     
Fresh-Faced Recruit
Join Date: Nov 2008
Status: Offline
Reply With Quote
Nov 20, 2008, 03:39 PM
 
Are these options available when you load Fusion into your computer? If so, do you know what items need to be check to prevent a virus from getting into the Mac side?

I do not plan on using the windows side on the Internet and all the programs on my computers at this time do not have any virus. Will Internet Explorer load automatically when I load the Windows XP Pro into the Mac? If not, then it should be alright I believe.

Thanks for all your help.
     
 
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Top
Privacy Policy
All times are GMT -4. The time now is 08:19 PM.
All contents of these forums © 1995-2014 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2014, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2