Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Should we be quiet about Mac security? or tout it?

Should we be quiet about Mac security? or tout it?
Thread Tools
Love Calm Quiet
Mac Elite
Join Date: Mar 2001
Location: CO
Status: Offline
Reply With Quote
Mar 29, 2004, 06:39 PM
 
Sometimes I worry if complacency among the Mac community (re: security, viruses, etc) is some day going to hurt millions of Mac members simultaneously.

Maybe we're lucky to be such a small and unattractive target (so far) for virus writers. But I wonder if Apple isn't missing a HUGE marketing opportunity to promote the SAFETY of OSX for businesses.

Take a peek at the Reuters story ( http://reuters.com/newsArticle.jhtml...toryID=4688569 ) on how badly Euro businesses are hurt ( 20% shut down by viruses ! -- 30-50% in Italy & France ! ). Shouldn't Apple be out there advertising: "Tired of being infected, robbed, and extorted by virus writers? - Switch to OS X ! "

Or do you think that would egg on the virus writers to start hitting on us? Your thoughts?
TOMBSTONE: "He's trashed his last preferences"
     
iPond317
Mac Enthusiast
Join Date: Feb 2000
Location: Old Dominion University, Norfok, VA
Status: Offline
Reply With Quote
Mar 29, 2004, 09:28 PM
 
I've always wondered this, also. I think virus creators would eventually look at the Mac as something to infect as well, but at the present moment I don't really think we should worry. Since I've had my Mac I've only had one virus and it was one of those damn macro MS Word thingies. Gotta love M$!
iPond317 | ODU Apple Campus Rep
"Ten years ago down by the lake I sunk my sweet love down to her watery grave." - Hello Again | DMB

Old: Apple IIc, PowerMac 7200/90, iMac Bondi Blue 233, Titanium PowerBook G4 400 - New: MacBook 2.0, iPhone 8GB, AirPort Extreme Gb, iPod 30GB 5th Gen
     
f1000
Professional Poster
Join Date: Jan 2003
Status: Offline
Reply With Quote
Mar 29, 2004, 09:37 PM
 
I'd prefer Apple not to tout it, unless I knew that doing so would at least double sales.
     
djohnson
Professional Poster
Join Date: Sep 2000
Location: Texas
Status: Offline
Reply With Quote
Mar 29, 2004, 09:49 PM
 
I double the opinion to tout it if it will increase marketshare!. Maybe this is part of the reason the xServe g5 is doing so well?
     
qyn
Dedicated MacNNer
Join Date: Dec 2000
Location: sj ca
Status: Offline
Reply With Quote
Mar 29, 2004, 09:51 PM
 
Actually, OS X security IS better than windows (and it's not merely a matter of "less attractive target", despite what you might hear).

Consider some of the advantages of OS X:
-All services turned OFF by default (though the firewall should be turned on by default)
-A user model that's not a hack and not optional
-Nothing like VBScript

Out of the box, an OS X machine is surprisingly secure, and surprisingly easy to keep secure (using Software Update).

But the danger is banking on that claim, and finding some sort of security hole later...
     
cambro
Senior User
Join Date: Jan 2002
Location: Laurentia
Status: Offline
Reply With Quote
Mar 29, 2004, 10:09 PM
 
As qyn mentioned, NO system that can actually be used and that communicates with any other device or machine is immune to some sort of exploit. Mac OS X is definitely MUCH more secure than Windows though. Anyone who works in a multi-platform setting can attest to that (and as qyn says, it is not just because most of the exploits are MS windows specific, though this doesn't hurt).

However, even on Windows machines it is user error that permits/causes a large fraction of virus problems (e.g., opening an attachment). I don't use Windows regularly enough to know if there are inherent flaws in the system that make it more likely for users to do dumb things that compromise their system or not.

On OS X, all you need to do is get somebody to type their admin password for you and then all kinds of havoc can be caused...
     
RayX
Dedicated MacNNer
Join Date: Aug 2003
Status: Offline
Reply With Quote
Mar 29, 2004, 10:26 PM
 
Originally posted by cambro:
However, even on Windows machines it is user error that permits/causes a large fraction of virus problems (e.g., opening an attachment).
In the past, Outlook gladly opened attachments for you, just by previewing the e-mail, thanks to various exploits. Unpatched/out-of-date versions of Outlook would be still doing this.

I don't use Windows regularly enough to know if there are inherent flaws in the system that make it more likely for users to do dumb things that compromise their system or not.

By default a Windows user is an Administrator (root), that has complete control over the operating system. Mac OS X's admin user does not have this level of access, and still must authenticate (or use sudo in Terminal) to perform privileged operations. That is a major flaw of Windows.

Scripts executable without compiling them or marking them as executable in any way, is another example (.vbs).
     
macsfromnowon
Junior Member
Join Date: Oct 2003
Status: Offline
Reply With Quote
Mar 30, 2004, 08:07 AM
 
I don't think Apple needs to taunt the virus writers, saying "just see if you can skarooo us...."

But I think they should be pushing their platform (yes, esp. in Europe) as a safer, less expensive (average $6,000 per system cleanup, according the the Reuters article !) way to run your business.

[ Any Europeans here running businesses on Macs want to comment ? ]
     
fr0d
Fresh-Faced Recruit
Join Date: Dec 2003
Status: Offline
Reply With Quote
Mar 30, 2004, 10:34 AM
 
The biggest reason why Windows virii spread so well is simply the sheer weight of numbers - the chance of a virus finding another infectable box is so high that they spread effectively. The only way this could bridge to the Mac is having a virus with two payloads, both Mac and Windows. This would be something of a challenge to do effectively, so I don't think you'll ever see a Mac virus, as I don't believe the union of the sets of market share/insecure/online boxes (macs are predominantly workstations) will ever be a large enough target. So - tout it all you like!!!!

     
TheSpaz
Grizzled Veteran
Join Date: Nov 2003
Status: Offline
Reply With Quote
Mar 30, 2004, 11:00 AM
 
I think I'll go and write a Mac virus now...
     
f1000
Professional Poster
Join Date: Jan 2003
Status: Offline
Reply With Quote
Mar 30, 2004, 11:49 AM
 
Originally posted by fr0d:
The biggest reason why Windows virii spread so well is simply the sheer weight of numbers - the chance of a virus finding another infectable box is so high that they spread effectively. The only way this could bridge to the Mac is having a virus with two payloads, both Mac and Windows.

Yeah, but what about hardware agnostic languages such as Java?
     
Millennium
Clinically Insane
Join Date: Nov 1999
Status: Offline
Reply With Quote
Mar 30, 2004, 01:59 PM
 
Tout the security far and wide. But as you do, run good anti-virus software, and take steps to ensure your machine is secure.

The worm writers will eventually come. They always do, even to niche platforms (there's glory in being the first to write a worm for a given platform, after all). When they do, we need to be ready, and that readiness can only be assured when the security of OSX has been put through its paces. The more you advertise its security, the more people will attack and fail. And a few will succeed -again, they always do- but that's the only way that problems can be truly fixed.

You can cover the problems up and pretend they don't exist. That's what Microsoft does. And look where it got them.
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Mar 30, 2004, 08:39 PM
 
Originally posted by fr0d:
The biggest reason why Windows virii spread so well is simply the sheer weight of numbers - the chance of a virus finding another infectable box is so high that they spread effectively. The only way this could bridge to the Mac is having a virus with two payloads, both Mac and Windows. This would be something of a challenge to do effectively, so I don't think you'll ever see a Mac virus, as I don't believe the union of the sets of market share/insecure/online boxes (macs are predominantly workstations) will ever be a large enough target. So - tout it all you like!!!!

I don't think teh reason why Windows viruses spread is because of the sheer numbers... it is the propogation scheme - the fact that viruses can just go apeshit through your Address Book.

I'll argue with nearly anybody that OS X is inheriently more secure than Windows. Sure we can have a virus written for OS X, but the lack of the Active-X, automatic execution garbage and user level permissions will prevent the virus from propogating very far - at least not the tradional email kind, or the kind that allow you to execute right from a simple dialog off a webpage.
     
Chuckit
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status: Offline
Reply With Quote
Mar 30, 2004, 09:16 PM
 
Originally posted by besson3c:
I don't think teh reason why Windows viruses spread is because of the sheer numbers... it is the propogation scheme - the fact that viruses can just go apeshit through your Address Book.
That would be useless if going through the address book didn't reveal a large number of hosts they can infect. The fact that Macs are uncommon means that a virus sending itself to everyone in your address book would still hit far fewer vulnerable computers, and thus not be able to spread at anywhere near the same rate.
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
     
sniffer
Professional Poster
Join Date: Nov 2000
Location: Norway (I eat whales)
Status: Offline
Reply With Quote
Mar 30, 2004, 09:23 PM
 
I don't see why Apple shouldn't tout security more. MS does it all the time, and people buy it. Touted or not, markedshare whatever, virus writers and bulls eyes.. It all doesn't matter. A system can only be secure or unsecure, and that's the only factor that matters.

Sniffer gone old-school sig
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Mar 30, 2004, 09:23 PM
 
Originally posted by Chuckit:
That would be useless if going through the address book didn't reveal a large number of hosts they can infect. The fact that Macs are uncommon means that a virus sending itself to everyone in your address book would still hit far fewer vulnerable computers, and thus not be able to spread at anywhere near the same rate.
First of all, the jury is still out whether going through the OS X Address Book in this fashion is even possible.

Regardless, not every Windows user in your Windows Address Book is going to be suspectible to a given Windows virus. All it takes is a couple of successes and you have exponential growth working on your side.

Many Mac users don't run any virus protection, so right off the bat this is working in the favor of the virus writer.

There is certainly something to be said for your ideas, but I've had this conversation many times with differnet people and nobody has yet to convince me that OS X is not more inherently secure. The technical difficulties of virus writing for the Mac that reaches a large audience is also an important factor to the absense of an outbreak.
     
wadesworld
Grizzled Veteran
Join Date: Apr 2001
Status: Offline
Reply With Quote
Mar 31, 2004, 09:21 AM
 
First of all, the jury is still out whether going through the OS X Address Book in this fashion is even possible.
No, the jury definitely is not out.

It's called the AddressBook framework. It allows anyone writing code full access to the address book.

But without it, how do you write a contact manager? Or an envelope printing program? Or any business program?

Wade
     
SMacTech
Mac Elite
Join Date: Nov 2001
Location: Trafalmadore
Status: Offline
Reply With Quote
Mar 31, 2004, 09:33 AM
 
Everyone is talking about exploiting the Address book, but a better target would be the previous recipients list of email address in Mail. I have 14 people in my address book, but have hundreds in the previous recipients list.
There is a good thread over at Ars Technica about this very subject.
     
ginoledesma
Mac Elite
Join Date: Apr 2000
Location: Los Angeles, CA
Status: Offline
Reply With Quote
Mar 31, 2004, 10:08 AM
 
Originally posted by f1000:
Yeah, but what about hardware agnostic languages such as Java?
The Java Virtual Machine (JVM) by itself implements certain security measures to prevent an application going reckless with the system, but applications written in Java can do virus-like activities. Heck, if Java applications are explicitly run, they can do whatever they were programmed to do in the first place.

But still, unless Mac OS X, or whatver OS, runs Java applications automatically, then the threat of Java viruses isn't really all that much.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Mar 31, 2004, 10:14 AM
 
Originally posted by wadesworld:
No, the jury definitely is not out.

It's called the AddressBook framework. It allows anyone writing code full access to the address book.

But without it, how do you write a contact manager? Or an envelope printing program? Or any business program?

Wade
Read the Ars thread posted by SMacTech, GregOmni (I'm assuming an Omnigroup developer) has this to say (okay, my claim that an app can't go through the AddressBook is pretty misleading, but it still looks like the virus can't be propogated, which is what I should have said):

---

Nope, won't work.

To send an attachment you need to convince the receiving email program that you are sending Content-type: mime/multipart, but Mail.app's scripting support does NOT allow you to set any email headers, and it does NOT allow you send anything besides text/plain. I tried scripting up a trojan myself: I can throw in a real MIME attachment in the outgoing content, encode it correctly, et cetera, and when that email is received, it is a bunch of plain text encoding gunk exactly like the old days with a non-MIME-aware mail tool because I can't get access to the headers that Mail.app is putting onto my scripted email, and upon receipt Mail.app is correctly looking only at the real headers even when I try to make my content look like it has additional valid headers.

I CAN get the user's SMTP server and email address, so I could still send email in his/her name by talking the SMTP protocol directly. This will only work if the user's SMTP server is configured to NOT take a password when sending (which is an optional SMTP extension, although most servers require it now), because I can only get the user's SMTP server password through the keychain, which will ask the user to authorize my script or executable. Or I could always send a bunch of email with any from address I choose through an open relay, if I know of one.

In short:
(a) Address Book.app can be easily scripted to get other email addresses
(b) Mail.app can be easily scripted to get the users SMTP server and port information
(c) Mail.app can NOT be scripted to send attachments
(c) Scripts or apps can NOT get the user's SMTP password, if any, without explicit keychain authorization by the user

To me, this means that there is no client-side email hole here capable of propagating a trojan. You need server-side support from one of:

(a) An older SMTP server setup that does not require a password to send email. (Note that Mac.com is NOT vulnerable in this way.)
(b) An open relay.
(c) An ISP whose routers allow SMTP traffic outside of the ISPs borders by random clients. (If so, my trojan can connect directly to the intended receiver's mail server and talk SMTP to it instead of the current user's local mail server.)

If you have some other security hole for achieving root access on the local client, there is also the potential attack of scripting the sending of a single innocuous text email and snooping the network traffic in order to grab the user's SMTP password. This only works if it isn't encrypted using SSL, and it is a lot of trouble to go through to get a propagation vector.

- Greg
     
ginoledesma
Mac Elite
Join Date: Apr 2000
Location: Los Angeles, CA
Status: Offline
Reply With Quote
Mar 31, 2004, 10:14 AM
 
Apple is basically touting the Mac as a secure platform, though they didn't go out of their way to boast. Should Apple tout it? I don't see why not, since they have been pretty responsive to security updates, exploits, and the like. Keeping quiet is really just what's known as "security through obscurity", which is just hiding the problem. All it really does is add one more level of brief security.
     
Mr Scruff
Mac Enthusiast
Join Date: Feb 2001
Location: London, UK
Status: Offline
Reply With Quote
Mar 31, 2004, 11:40 AM
 
I think OS X is more secure than a default home install of XP, but I don't think it's *that* much more secure than an average Windows setup in a corporate environment. And they still get severely affected everytime some virulent worm comes along.

It would be difficult to write a worm that could do system level damage to a Mac (without getting the user to authorise it first anyway) but you could still wreak a fair amount of havoc with an applescript, or shell script for example.

It might not auto-execute, but since when has that stopped email born viruses & worms spreading?

The truth is, if you have a situation where people knowingly launch random files obtained over the internet without considering (or even understanding) the possible consequences, you're always going to get viruses & worms.

The only reason we're spared is because we're of sufficiently low density to make the rapid spread of a virus difficult.

So in summary, yes the Mac is more secure - but not particularly because of anything Apple is doing.
     
typoon
Addicted to MacNN
Join Date: Oct 1999
Location: The Tollbooth Capital of the US
Status: Offline
Reply With Quote
Mar 31, 2004, 12:28 PM
 
The other thing about OS X is that it is somewhat opensource. So if there is a virus that is written it will most likely be fixed quickly. I say we should tout the security for sure.
"Evil is Powerless If the Good are Unafraid." -Ronald Reagan

Apple and Intel, the dawning of a NEW era.
     
SMacTech
Mac Elite
Join Date: Nov 2001
Location: Trafalmadore
Status: Offline
Reply With Quote
Mar 31, 2004, 12:46 PM
 
Originally posted by Mr Scruff:

So in summary, yes the Mac is more secure - but not particularly because of anything Apple is doing.
I guess Apple just happened to pick BSD just for the heck of it. Do a simple google search like this and read some of it.
I also don't know how my Mac is affected 'severely' by the virulent worms other than a DoS to a favorite site or clogged up internet pipes.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Mar 31, 2004, 03:02 PM
 
Originally posted by Mr Scruff:
I think OS X is more secure than a default home install of XP, but I don't think it's *that* much more secure than an average Windows setup in a corporate environment. And they still get severely affected everytime some virulent worm comes along.

It would be difficult to write a worm that could do system level damage to a Mac (without getting the user to authorise it first anyway) but you could still wreak a fair amount of havoc with an applescript, or shell script for example.

It might not auto-execute, but since when has that stopped email born viruses & worms spreading?

The truth is, if you have a situation where people knowingly launch random files obtained over the internet without considering (or even understanding) the possible consequences, you're always going to get viruses & worms.

The only reason we're spared is because we're of sufficiently low density to make the rapid spread of a virus difficult.

So in summary, yes the Mac is more secure - but not particularly because of anything Apple is doing.
You make some good points, but I also think you've missed an important point. Sure a virus can infect OS X, but how would it *propogate*?

That's the key.
     
Big Mac
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status: Offline
Reply With Quote
Mar 31, 2004, 04:30 PM
 
The one thing that concerns me is that, since OS X has the reputation for being essentially virus free, people may write off virus protection completely and thus be caught totally off guard in the event someone decides to target the platform. Back in the olden days of the Mac there was a terrific freeware virus protector called Disinfectant. It was a nice addition to one's Mac, if only for the small amount of extra comfort it provided. Sure, as time went on the program aged; it never attempted to deal with Word Macro viruses, and eventually it was discontinued. But while it was relatively current, it served as nice, minimal protection against an unlikely threat.

Traveling down memory lane presented a new idea based on that old concept - open source virus protection. Since the virus threat is so remote, wouldn't it make sense to provide minimum, Disinfectant class protection through an open source venture? Those who demand greater protection may turn to Virex or NAV, but for the rest of us wouldn't open source fit just right?

"The natural progress of things is for liberty to yield and government to gain ground." TJ
     
Mr Scruff
Mac Enthusiast
Join Date: Feb 2001
Location: London, UK
Status: Offline
Reply With Quote
Mar 31, 2004, 08:05 PM
 
Originally posted by typoon:
The other thing about OS X is that it is somewhat opensource. So if there is a virus that is written it will most likely be fixed quickly. I say we should tout the security for sure.
I'm not sure how this is relevant. The majority of worms on Windows exploit flaws in userland software (eg. outlook). This software isn't open source on OS X, so fixes would have to come from Apple.

Originally posted by SMacTech:
I guess Apple just happened to pick BSD just for the heck of it. Do a simple google search like this and read some of it.
I agree that BSD is fairly secure. But BSD is one small component of OS X, security is something that needs to extend both above and below the BSD layer.

Unless of course you only work in a terminal.

Originally posted by besson3c:
You make some good points, but I also think you've missed an important point. Sure a virus can infect OS X, but how would it *propogate*?

That's the key.
Unless I'm missing something, what's so different about OS X that would stop a virus propogating via email?
     
Mr Scruff
Mac Enthusiast
Join Date: Feb 2001
Location: London, UK
Status: Offline
Reply With Quote
Mar 31, 2004, 08:08 PM
 
Originally posted by SMacTech:
I also don't know how my Mac is affected 'severely' by the virulent worms other than a DoS to a favorite site or clogged up internet pipes.
Sorry, just got which part of my post you were referencing here. When I said 'severly affected' I was referring to corporate Windows networks (ie. ones where users run without administrative access) not Macs.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Mar 31, 2004, 08:28 PM
 
Originally posted by Mr Scruff:
Unless I'm missing something, what's so different about OS X that would stop a virus propogating via email? [/B]
For starters, an email client to take advantage of... As discussed earlier in this thread, Mail.app won't allow scripting of the sending of email attachments.

The only other email client that is installed on all Macs is the unix mail app, but it also just sends messages in plain-text. Perhaps you could write a script that will forge headers and encode attachments and use mail to send attachments, but you would still need to have Postfix turned on.

As far as I can tell, the only way that one can send viruses over email in OS X using software already installed on all Macs:

- click on attachment/executable from the web/wherever, click past warning dialog explaining that you are excuting an attachment (if you execute it from the OS X Mail app), authenticate to root

- enable Postfix on a port other than 25 (many ISPs block internal or external SMTP servers), use Mail/Address Book to grab a bunch of email addresses. Mind you, people don't generally have a ton of contacts in their Address Books (although plenty in the Recent Address History in Mail, which is not a system-wide API and probably not scriptable).

- Create some script that will encode an attachment and send the attachment as a MIME/Multipart either piped to Unix mail or some propietary email client

- move the script to /System/Library/StartupItems

- Hope that the recipient will perform the 1st step on their machines, completing the cycle

To summarize, the coder would have to:

- write the malicious code to do whatever damage is desired on the infected machine - should be easy with Applescript, although you would need to authenticate to affect your system

- grab addresses, if any

- enable Postfix on an alternate port

- create an email client to handle attachments

- trick the user into authenticating and do all the necessary social engineering work

Perhaps my technical logic is flawed, but if I'm close to being on the right track, it sure seems a lot harder than just piggybacking on Outlook. When infected, the virus would probably be a hell of a lot easier to remove.
     
utidjian
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status: Offline
Reply With Quote
Mar 31, 2004, 11:14 PM
 
Originally posted by besson3c:
Read the Ars thread posted by SMacTech, GregOmni (I'm assuming an Omnigroup developer) has this to say (okay, my claim that an app can't go through the AddressBook is pretty misleading, but it still looks like the virus can't be propogated, which is what I should have said):
Gonna make a few comments here:


---

Nope, won't work.

To send an attachment you need to convince the receiving email program that you are sending Content-type: mime/multipart, but Mail.app's scripting support does NOT allow you to set any email headers, and it does NOT allow you send anything besides text/plain. I tried scripting up a trojan myself: I can throw in a real MIME attachment in the outgoing content, encode it correctly, et cetera, and when that email is received, it is a bunch of plain text encoding gunk exactly like the old days with a non-MIME-aware mail tool because I can't get access to the headers that Mail.app is putting onto my scripted email, and upon receipt Mail.app is correctly looking only at the real headers even when I try to make my content look like it has additional valid headers.
As far as I know... this may be true. I haven't tried scripting Mail.app. But this _assumes_ that Mail.app is the only thing required for the propagation of the trojan. It is not. The trojan can contain its own code to handle the actual sending of the email in order to propagate. The basic difference is... Mail.app can NOT execute arbitrary code attached to an email merely by opening the email. However it can execute the code in an attachment and clicked and then a warning pops up about executing the code.... but one can just click again to ignore the warning.


I CAN get the user's SMTP server and email address, so I could still send email in his/her name by talking the SMTP protocol directly. This will only work if the user's SMTP server is configured to NOT take a password when sending (which is an optional SMTP extension, although most servers require it now), because I can only get the user's SMTP server password through the keychain, which will ask the user to authorize my script or executable. Or I could always send a bunch of email with any from address I choose through an open relay, if I know of one.
Most servers CAN require a password now. Many are not set up that way though. There are an amazing number of open relays still in existence. The assumption must be that since an open relay is possible the evildoer will know of at least one. An open relay can be as simple as a previously cracked Linux/OSX/Windows box.


In short:
(a) Address Book.app can be easily scripted to get other email addresses
(b) Mail.app can be easily scripted to get the users SMTP server and port information
(c) Mail.app can NOT be scripted to send attachments
(c) Scripts or apps can NOT get the user's SMTP password, if any, without explicit keychain authorization by the user
Point (c) is not neccessary in order to have a working trojan.
Point (c)[sic] may not be neccessary in order to have a working trojan. The author also assumes that the evildoer will be using AppleScript and the standard APIs. These can be bypassed. For more information on this see: http://risley.net/keychain/


To me, this means that there is no client-side email hole here capable of propagating a trojan. You need server-side support from one of:

(a) An older SMTP server setup that does not require a password to send email. (Note that Mac.com is NOT vulnerable in this way.)
(b) An open relay.
(c) An ISP whose routers allow SMTP traffic outside of the ISPs borders by random clients. (If so, my trojan can connect directly to the intended receiver's mail server and talk SMTP to it instead of the current user's local mail server.)
It is not neccessary to have a "hole" in Mail.app in order to have a working trojan. As long as the trojan can send attachments (it doesn't need Mail.app to do this)... the trojan can try and propagate from the client.

Point (a): This assumes an "older" SMTP server is required. It isn't. Any old SMTP server will do, even one the evildoer has set up for this... possibly even the users Mac.

Point (b): Easy to come by or create an open relay.

Point (c): Many ISPs DO allow any SMTP traffic from clients within their borders. Often it is enough to just be on their subnet. Some ISPs filter outgoing SMTP traffic, some don't.


If you have some other security hole for achieving root access on the local client, there is also the potential attack of scripting the sending of a single innocuous text email and snooping the network traffic in order to grab the user's SMTP password. This only works if it isn't encrypted using SSL, and it is a lot of trouble to go through to get a propagation vector.
This is the real kicker, "...it is a lot of trouble to go through to get a propagation vector." This is exactly what will get you into trouble. Saying something is quite a lot of trouble assumes that "quite a lot" is "too much." At some point it will not be "quite a lot". That is how the whole script kiddie problem works. Once someone has gone to the trouble of figuring out how to do it and that information gets distributed then the script kiddies don't have to go to any trouble... all they have to do is copy and modify to suit their needs.

One thing that bugs me about the whole Keychain idea is that in its current version for Panther it can display a password in plain text. That means it has, at the very least, a reversibly encrypted version of the password stored somewhere. All that is neccessary is to figure out how the trick and one can write some code for unlocking and grabbing the passwords in plain text. Perhaps it is just me but that seems like a really really bad idea.
-DU-...etc...
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Mar 31, 2004, 11:39 PM
 
Originally posted by utidjian:
As far as I know... this may be true. I haven't tried scripting Mail.app. But this _assumes_ that Mail.app is the only thing required for the propagation of the trojan. It is not. The trojan can contain its own code to handle the actual sending of the email in order to propagate. The basic difference is... Mail.app can NOT execute arbitrary code attached to an email merely by opening the email. However it can execute the code in an attachment and clicked and then a warning pops up about executing the code.... but one can just click again to ignore the warning.
I've heard of trojans creating their own SMTP server, but creating their own email system which will encode attachments and format an email for delivery... sure it's possible, but as I said it seems a lot more work than just piggybacking off of Outlook.

You're right though that Mail.app is not needed. When I was presenting my logic, I was thinking in terms of doing the Mac equivilent of what is done on Windows. It would be harder to write and harder to socially engineer, but all it takes is for this to happen once (as far as the writing part) and for this information to be shared.

However, if a virus can't get into the recent address history they aren't going to get very far as far as propogation. I wonder if the recent address history information is encrypted? If the encryption is strong enough, I'm sure this would be a huge deterrent for script kiddies given that it would take a lot of processing time to break this encryption.
     
JLL
Professional Poster
Join Date: Apr 1999
Location: Copenhagen, Denmark
Status: Offline
Reply With Quote
Apr 1, 2004, 03:44 AM
 
These are posts I read at MacCentral Forum and AI Forum:

I'll address several issues here. I'm a programmer by trade, and have been creating UNIX programs, filters, and drivers since '82. My name is in the '94 and '94 Yggdrasil Linux "Plug-and-Play" books, so I've obviously been a Linux hack since '92. I also write Windows programs using Visual Studio, and have been porting my tools from Linux to OS X since the beta. So, I think I *might* be qualified to say what I'm about to say.

Remember: a "virus" is a set of invasive routines which have been attached to a legitimate program. A "worm" is, in essence, a detached background process.

Creating a UNIX "virus" would require the writer to muck with program text and data segment pointers, and change the program initialization pointer from the "crt0.o" equivalent to something else. The degree of difficulty here is at least 9.5 on a scale of 1-10... even if you *do* have the source to the runtime invocation routines. Then, to screw up the system, you have to attain root privileges from within the attached routines in that user-privileged program, which is indeed quite a bit harder. It's not impossible with the default OS X install, but it ain't easy. The easiest way to defeat this is to create a root account with a scrambled password on *EVERY* *NIX system you use, and that includes OS X.

Writing a UNIX "worm" is easier. Any program can create a detached process. BUT, the same issues with user-level vs. root permissions exist. Worms will run on properly protected systems, but they may never be able to attain the privileges necessary to do significant damage.

Now, these are not easy tasks. It's *much* easier to write a simple script that fools Windows into thinking that an offending program is actually something the user *wants* to run. Windows does *NOT* have user-level protections - and that's why viruses and worms are so easy to invoke on Windows.

Lastly: each task on a *NIX program runs in its own virtual memory space. Programs running within these virtual spaces are not allowed to "touch" devices or other system resources. Instead, programs make requests to the system for system resources. Even the graphics subsystem runs as a task under OS X. Hence, a "buffer overflow" within the OS X desktop would cause the desktop to crash and restart, but shouldn't cause any other problems.

Windows has incorporated graphics routines into its kernel. Hence, a "buffer overflow" in one of the graphics routines causes the kernel to respond with a handler. If you write your virus properly, the handler will execute *virus code* as the handler... and the virus has now attained system-level capabilities. The Windows kernel thinks it is running legitimate code, but it is running the virus' code -- which just happens to now be running as the system-level error handler. And, without user-level privilege protections, you can do.... anything.

That's how it's done, folks.


-----


MS has several bedrock problems, which at this point sort of coalesce into one problem. First, and deadliest sofar, is the lethal alchemy between extraordinarily permissive interfaces (why, exactly, can Word macros delete system files?!) and commingled code. Second is their interpretation of user friendliness, which involves having all kinds of things going on in the background automagically - and this is as much of a problem as it is precisely because all the interfaces that make this happen are permissive. Third, features always trump security. This means on the one hand that (you guessed it) interfaces are permissive (so that there are fewer obstacles for software developers and power users - including dishonest ones) and also that many security holes come with built-in disincentives to plug them: There was a great deal of justified moaning when we ordered everyone in the office to turn off message previewing in Outlook, because it really is a nice feature. Lastly, MS still hasn't acted on the information that 90% of security lies in picking sensible defaults. This, again, is really another facet of the problem that every other point here is a facet of: It's convenient and featureful for all the services to be going, and a minimum of ports to be obstructed, and for interfaces to be permissive - so they are.

This set of attitudes has been codified into years upon years of legacy; into billions of dollars of investments, and into MS' strategy of mollycoddling developers. Even their half-hearted attempt at a competently engineered OS (NT/2000) went nowhere until they rolled in a lot of compatibility with Win9x - which is, and has always been, a security nightmare. So it doesn't really matter how many security experts they hire, because the experts are left with the unenviable task of turning a glass house into a fortress. That's not how security works: Fortresses are designed from the get-go to be fortresses, and for Microsoft it's years too late to go back to blueprints.

Then, of course, there's the monster under the bed that nobody wants to mention. All the armchair security analysts blathering on about how OS X is only defended by security through obscurity (ha!) should take note: MS CEO Steve Ballmer has come out and said, reluctantly, that Windows Messaging - the core of every version of every one of MS' operating systems - is a sieve, and if anyone found out just how to take advantage of that... well, do the math. Unfortunately, one of the things I learned talking at length to Microsoft developers is that large portions of that code are black boxes. The people who wrote them are long since gone, the code is ancient, nobody knows how it works. Whole swaths of Windows are built by attempting an implementation and hoping that it didn't break anything down in the pit of the OS. NT didn't change this. 2000 didn't change this. XP didn't change this. The security experts can't change it: first. you can't change what you can't understand; second, since Messaging is the foundation on which Windows is built, redesigning and reimplementing it would be an unfathomable nightmare (you'd have to test and make sure that nothing in Windows, or in Windows applications, broke!); last, the interface is permissive, and secure implementations of insecure interfaces are impossible - and again, all of Windows and all Win16 and Win32 apps assume that interface. The security experts are tasked with bandaging the Titanic.

I haven't even listed all of the ways Windows is insecure. This is just one example.

This is why MS is trying to keep the Messaging code hidden by all means, and protected by any number of big Federal laws with sharp teeth. But this is all still security through obscurity, and Federal laws mean nothing to hackers in, say, North Korea.

What nobody wants to face is the fact that 95% of the computing world is built on a house of cards, and the current epidemic of viruses and worms only hints at what could happen if someone really found the soft spots in the world's de facto operating system.

We can all hope that that day doesn't come.
JLL

- My opinions may have changed, but not the fact that I am right.
     
Mr Scruff
Mac Enthusiast
Join Date: Feb 2001
Location: London, UK
Status: Offline
Reply With Quote
Apr 1, 2004, 06:15 AM
 
Originally posted by besson3c:
For starters, an email client to take advantage of... As discussed earlier in this thread, Mail.app won't allow scripting of the sending of email attachments.

The only other email client that is installed on all Macs is the unix mail app, but it also just sends messages in plain-text. Perhaps you could write a script that will forge headers and encode attachments and use mail to send attachments, but you would still need to have Postfix turned on.
I don't doubt that outlook on Windows is an easier target than Mail.app on OS X. I also agree that getting the sort of privileges needed to wreak system level damage is harder on OS X. I just feel that if we had the focus of all the virus/worm writers on our platform, holes would be found.

Imagine the following. An email virus, which takes the form of an html mail mimicking the sort of mails that apple sends out. It warns of serious security problems that need to be patched, with an attachment that consists of a zipped application, and instructions on how to unzip the attachment and run the 'patch'. The 'patch' of course contains malicious code that installs a keylogging daemon, and emails a copy of itself to everyone in the users address book.

This sounds ridiculous, but it succeeds all the time on Windows because of:

- the large amount of potential targets
- the ignorance of the vast majority of users

What is different about our platform that would stop this happening?
     
JKT
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status: Offline
Reply With Quote
Apr 1, 2004, 07:07 AM
 
We've already been there - remember Apple's installer for (IIRC) iTunes a few years ago? The one that wiped people's hard drives if there was a space in the hard drive's name? OK, not precisely what you describe, but not far removed from it and a good example of the potential for a "virus" that exploits social engineering to wreak havoc. It could happen... but how would you stop it at the level of the OS? Very, very difficult. The issue here is educating the user - it's a pure PEBCAK issue. Fortunately, Window's troubles are actually half way there to doing it for us - the more it happens, the more people are going to realise that opening files from someone you don't know or trust etc is not the thing to do.
     
Mr Scruff
Mac Enthusiast
Join Date: Feb 2001
Location: London, UK
Status: Offline
Reply With Quote
Apr 1, 2004, 07:47 AM
 
Originally posted by JKT:
We've already been there - remember Apple's installer for (IIRC) iTunes a few years ago? The one that wiped people's hard drives if there was a space in the hard drive's name? OK, not precisely what you describe, but not far removed from it and a good example of the potential for a "virus" that exploits social engineering to wreak havoc. It could happen... but how would you stop it at the level of the OS? Very, very difficult. The issue here is educating the user - it's a pure PEBCAK issue. Fortunately, Window's troubles are actually half way there to doing it for us - the more it happens, the more people are going to realise that opening files from someone you don't know or trust etc is not the thing to do.
I agree - the only way to make systems completely secure would be protecting users from doing the equivalent of jumping in front of a tube train. This is impossible without making a system that is completely inflexible - you can only put up so many warnings when the user tries to do something stupid.

There are 2 separate issues here I guess, the vulnerability of a system to remote exploits, buffer overflows etc and the problem of not being able to trust users to act sensibly.

Many of the email born worms that dominate the headlines are a result of the latter rather than the former.
     
Millennium
Clinically Insane
Join Date: Nov 1999
Status: Offline
Reply With Quote
Apr 1, 2004, 08:37 AM
 
Originally posted by JKT:
We've already been there - remember Apple's installer for (IIRC) iTunes a few years ago? The one that wiped people's hard drives if there was a space in the hard drive's name? OK, not precisely what you describe, but not far removed from it and a good example of the potential for a "virus" that exploits social engineering to wreak havoc.
That's not a virus, but it's a type of attack which has its own name: a Trojan horse. Like the one from mythology, it poses as a benign program -and may even have some benign effects, to make it harder to detect- but its true purpose is Bad Stuff of one form or another. If the iTunes installer had been intentionally coded to have this problem, it would have been a textbook case; as it was, it's just a REALLY bad bug.

There are basically three types of malicious programs out there, by the way:
  • Trojan horses are the simplest kind of malicious program. I've described them above. The major defining aspect of a Trojan horse, however, is that it cannot spread on its own.
  • Viruses (the plural is not "virii") are the second type of malicious program. Actually, these are not full programs in and of themselves; they are tiny snippets of code which insert themselves into a running application's code, and infect any other running applications on the machine. The defining feature of viruses is that they can only spread between files on the same machine. They cannot spread to other machines unless the user shares files. True viruses are not common anymore; thanks to Microsoft, they have been replaced by the third type of program:
  • Worms are a kind of hybrid between a Trojan horse and a virus. Like Trojan horses, they are complete programs in their own right; they cannot insert themselves into other files. Like viruses, they have means of reproducing themselves. Unlike viruses, they do not spread from file to file; instead they spread directly between machines. To do this, on each infected machine the worm has to discover ways that it can send itself, and machines to which it can send itself. Outlook's address book provides a very convenient place to find this information, and this is how most e-mail worms work. Another trick is to scour the user's browser bookmarks and attempt to hack each server found; Nimda and Code Red worked this way. If the machine gets onto a Web server, it can then scour the referer logs for even more hosts.
The interestingg thing about Nimda and Code Red is that if you were attacked, you knew both what machine was trying to hack you, and that it had a security hole (which Nimda and Code Red had used to get onto the machine in the first place). This led to the creation of hackback scripts, which would follow the trail back to the infected machine, hack it again, this time to pass a warning to the machine's administrator that the machine was infected and then to shut the machine down so that it could not infect anyone else. The legality of hackback scripts is definitely a grey area, but the general school of thought is that someone using a hackback could plead self-defense.
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
     
utidjian
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status: Offline
Reply With Quote
Apr 1, 2004, 09:48 AM
 
Originally posted by besson3c:
I've heard of trojans creating their own SMTP server, but creating their own email system which will encode attachments and format an email for delivery... sure it's possible, but as I said it seems a lot more work than just piggybacking off of Outlook.
Yes... that may be but the work is already done. If you want to test it you can just copy-and-paste. See: http://tinyurl.com/2blxv
You may have to fix some line endings on the comment lines (google groups artifact of wrapping long lines).


You're right though that Mail.app is not needed. When I was presenting my logic, I was thinking in terms of doing the Mac equivilent of what is done on Windows. It would be harder to write and harder to socially engineer, but all it takes is for this to happen once (as far as the writing part) and for this information to be shared.
Already done (see above link).


However, if a virus can't get into the recent address history they aren't going to get very far as far as propogation. I wonder if the recent address history information is encrypted? If the encryption is strong enough, I'm sure this would be a huge deterrent for script kiddies given that it would take a lot of processing time to break this encryption.
You are making assumptions about something that doesn't exist yet. If you go and look at Apples web site there is plenty of example code that Apple supplies for searching through your emails. There is even example code on your system for AppleScript. Look in /Library/Scripts/Mail Scripts/. It doesn't make any difference to the scripts or the program I gave a link to that your entire user directory may be encrypted via FileVault. This is because when you are logged in your whole home folder is read/writeable by you. The program/script is run by you. The example program, as it is written, can not read other users home folders. But, as the example shows, it can read a lot of system stuff. Anything a normal user can access.

As the example program is written the attachment has to be "opened" by the user. There is a popup warning about this. The gamble is whether the user will trust an attachment from someone they know. Quite a few people will open it.

The original author of the example program did not include the one line of code for attaching itself to the outgoing email. If he did it would basically be a full on trojan. To add the line would be fairly trivial, no?

Incidentally.... I have modified and tested the example program code to run on a Linux system. It also works BUT one has to go through extra steps to run it. The only option is to "save" it to disk. Once saved to disk it still won't run by just clicking on it because the execute bit is turned off by default. This is nowhere near as "convenient" as the way Mac OS X handles the attachment.

In any case... I think I have made my point.

One other thing... before anyone gets huffy about me posting a link to such code in a public forum... I didn't write the code, the code is already posted to the most public forum there is (Usenet News), it is easily findable by searching groups.google.com, and this particular code has been "public" for 6 months.
-DU-...etc...
     
Love Calm Quiet  (op)
Mac Elite
Join Date: Mar 2001
Location: CO
Status: Offline
Reply With Quote
Apr 1, 2004, 11:27 AM
 
Seems like real vulnerability for ALL operating systems is going to be there as long as "sender identity" for emails can be faked (or innocent victims can get infected and unintentionally email infected material to people in their address books).

There'll always be people who will click on a link/DL/etc from a "trusted friend" - and some who will enter a password click "OK" to the alert that says "admin privileges are required for this operation."

If I'm understanding the discussion above, that would just be one of the prices to be paid if Mac OS ever held market share on a par with MS.
TOMBSTONE: "He's trashed his last preferences"
     
utidjian
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status: Offline
Reply With Quote
Apr 1, 2004, 01:05 PM
 
Originally posted by Love Calm Quiet:
Seems like real vulnerability for ALL operating systems is going to be there as long as "sender identity" for emails can be faked (or innocent victims can get infected and unintentionally email infected material to people in their address books).

There'll always be people who will click on a link/DL/etc from a "trusted friend" - and some who will enter a password click "OK" to the alert that says "admin privileges are required for this operation."

If I'm understanding the discussion above, that would just be one of the prices to be paid if Mac OS ever held market share on a par with MS.
Well the social engineering part where you get someone to make actually make that second click is the key. Once you can anyone to do that all bets are off. The example program was just one simple idea on how such a thing could work. One could even make a much more sophisticated program, bundle it up, send it out as some sort of cool new image viewer or album creator or something. Once it gets to a host machine and someone trys to run it it will send itself to all email addresses in the address book, with the same payload, and it will look to the recipients as if it came from someone they know.

Such a trojan would only spread to some Mac users. The really nasty part in my opinion is how much info the program could send to an anonymous mail drop. It could even be a separate email.

The main thing that has prevented this kind of trojan from becoming a problem is that no one hs bothered to make one yet AND the relatively low density of Macs amongst all other systems. For sake of discussion, if the Mac installed base were, say, 5% of all systems that were in some way connected to the internet... and every single one was infected by a trojan (or whatever)... it would still only affect 5% of all systems. Hardly news. Many of the Windows problems are due to systems that have not been updated recently or ever. Sometimes this is as little as 10% of systems out there. But when something that can affect those 10% it is twice the size problem that the Macs would be.

I think Apple has done a pretty good job of "pushing" the update thing on Mac users. It is turned on by default. Yet I know of places that have a LOT of Macs (like schools and universities) that only run SoftwareUpdate once every 6 months or so because it is not yet automated. But what about all the other apps one runs on a Mac? What about all the other stuff one downloads from versiontracker etc? How do you know when to update those? How do you know something on versiontracker is NOT a trojan?

I think that Apple has a pretty good record, so far. I htink we have been fairly lucky, so far. Certainly it is not and hopefully never will be as big a problem as it is for Windows. I also think there is much more to be done. It is not enough to sit and wait for the problems to occur.
-DU-...etc...
     
macsfromnowon
Junior Member
Join Date: Oct 2003
Status: Offline
Reply With Quote
Apr 1, 2004, 02:52 PM
 
utidjian raises an interesting spector... of someone going to the trouble to offer some FREEWARE (that actually does something useful, I suppose) via VersionTracker, etc... and then waiting for some time to activate a worm or virus within it.

Has anyone ever heard of a FREEWARE/SHAREWARE source (even for PCs) being used to attempt viruses, trojans, etc.?
     
bens1901
Registered User
Join Date: Sep 2002
Location: New York City
Status: Offline
Reply With Quote
Apr 2, 2004, 04:41 AM
 
I like to follow the concept of "don't underestimate your enemy." Even though Macs have had a successful history with viruses, worms, etc., we must continue to protect our computers. Sure, security through obscurity is working, but for how long? When a virus does "arrive" at the front door of the Mac community, we need to have precautions and safety measures. Otherwise, all of this proudness for Mac security is in vain.

ok. that's my 2 cents
     
utidjian
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status: Offline
Reply With Quote
Apr 2, 2004, 11:26 AM
 
Originally posted by macsfromnowon:
utidjian raises an interesting spector... of someone going to the trouble to offer some FREEWARE (that actually does something useful, I suppose) via VersionTracker, etc... and then waiting for some time to activate a worm or virus within it.

Has anyone ever heard of a FREEWARE/SHAREWARE source (even for PCs) being used to attempt viruses, trojans, etc.?
Sure. Someone attempted to put a backdoor into the Linux kernel a couple of months back. It was caught well before it made it into the source tree. There have been a couple of other cases with other Open Source repositories and programs. All of them were quickly dealt with and I have never heard of any of the exploited code actually getting out into "the wild". Please note that Open Source software is NOT "FREEWARE/SHAREWARE".

There is also the possibility of proprietary software carrying a trojan. It is very unlikely that you will ever hear about it from the vendor though. Many people willingly pay for Office-X. Office-X calls home. This is a "feature".

The way most responsible suppliers of Open Source software deal with the possibility of infected code is to digitally sign the code. Usually with MD5SUM checksum. Most all Linux vendors do this with the packages they supply as do most suppliers of third party software. The good package management systems automatically check the MD5SUM before the software is installed. Fink packages use checksums. It is not clear whether SoftwareUpdate does use some sort of checksum.
-DU-...etc...
     
mitchell_pgh
Posting Junkie
Join Date: Feb 2000
Location: Washington, DC
Status: Offline
Reply With Quote
Apr 2, 2004, 01:54 PM
 
I say scream it as loud as you can

The issue isn't necessarily that the OS is soooooo secure, it's more of how Windows is very insecure!

Also, Apple is using open standards. It's not JUST OS X that's using much of the methods to access the computer. Various other distributions are suing the same code base. So it's in everyones best interest to keep the stuff secure. AFP is the only one that Apple alone needs to worry about. All the others (naturally they should worry) but not as much.

Also, OS X comes with so few ports open and a VERY strong firewall (which is enabled by default)
     
utidjian
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status: Offline
Reply With Quote
Apr 2, 2004, 02:12 PM
 
Originally posted by mitchell_pgh:
I say scream it as loud as you can

The issue isn't necessarily that the OS is soooooo secure, it's more of how Windows is very insecure!

Also, Apple is using open standards. It's not JUST OS X that's using much of the methods to access the computer. Various other distributions are suing the same code base. So it's in everyones best interest to keep the stuff secure. AFP is the only one that Apple alone needs to worry about. All the others (naturally they should worry) but not as much.

Also, OS X comes with so few ports open and a VERY strong firewall (which is enabled by default)
AFP, for some reason, has been a reasonably secure networked file system. Much more so than NFS and SMB/CIFS. Naturally Apple can have help with all the OSS stuff and even contribute. With AFP they are pretty much on their own.

Urm... I don't think the firewall is enabled by default. It is very easy to turn it on though.
-DU-...etc...
     
Bit Density
Fresh-Faced Recruit
Join Date: Oct 2003
Status: Offline
Reply With Quote
Apr 2, 2004, 03:05 PM
 
Originally posted by besson3c:
Read the Ars thread posted by SMacTech, GregOmni (I'm assuming an Omnigroup developer) has this to say (okay, my claim that an app can't go through the AddressBook is pretty misleading, but it still looks like the virus can't be propogated, which is what I should have said):


If you have some other security hole for achieving root access on the local client, there is also the potential attack of scripting the sending of a single innocuous text email and snooping the network traffic in order to grab the user's SMTP password. This only works if it isn't encrypted using SSL, and it is a lot of trouble to go through to get a propagation vector.

- Greg
This is interesting, but shows a misunderstanding of how modern viruses work in windows.

They do not use outlook (except for getting addresses), or the ISP's SMTP server, they install a small SMTP mail server on the system. Which is used to drop the mail into the mail infrastructure... The exact same thing can be done on a Mac. These little SMTP servers are also used as open relays for spammers.

There is nothing on the mac to prevent similar kinds of attacks.

The mac has two real advantages. The lack of size in the community makes it both unattractive to hack, and the viral vectors not nearly as virulent... And the expertise in the community both Windows and Linux is largely IA86 oriented.

That does not mean that there are not exploits for the mac. Or that there will not be exploits for the mac. But it does meant that for now the Mac has practically less security issues.

But security is pretty binary, you are either 0wn3d or you're not. And I think Apple would be taking on a pretty needless amount of liability by making security claims, especially the kinds of claims that folks here would like them to make. Trust me, the folks that know about security, and care about security already know about the mac. It is cost and interoperability with needed systems that will make the difference and it is always what makes the difference.
     
Millennium
Clinically Insane
Join Date: Nov 1999
Status: Offline
Reply With Quote
Apr 2, 2004, 03:28 PM
 
Originally posted by Bit Density:
This is interesting, but shows a misunderstanding of how modern viruses work in windows.

They do not use outlook (except for getting addresses), or the ISP's SMTP server, they install a small SMTP mail server on the system. Which is used to drop the mail into the mail infrastructure... The exact same thing can be done on a Mac. These little SMTP servers are also used as open relays for spammers.

There is nothing on the mac to prevent similar kinds of attacks.
Wrong. The app cannot set the machine to start the server at boot time, as it can on Windows. To do so would require authentication. This prevents a trojan from being able to set up a reliable backdoor, which severely lowers the utility of such trojans.

Admittedly, an application-based firewall installed by default would be even better. Start off with no apps allowed to connect to the Net. As soon as an app tries, a dialog pops up explaining this, with the usual "Deny", "Allow Once", and "Always Allow" choices. If the file has a suspicious name (ending in .jpg.app or something similar), then alert the user to this. Authentication should be required, of course.

Such apps already exist, out in the third-party world. Unfortunately, neither Apple nor Microsoft has seen fit to bundle them in yet. That needs to change.
That does not mean that there are not exploits for the mac. Or that there will not be exploits for the mac.
Actually, shellcode for OSX has already been written. As far as I know it hasn't been used yet, but it is there.

Obscurity is no protection. Considerable glory awaits the first person to produce a OSX worm, because it's exactly that: the first OSX worm. Something like that is totally independent of the size of the community, unlike what the apologists would have you believe. Our small size is no advantage at all.

Apple needs to boast far and wide about its security. Heck; it should even post prizes for verifiable hacks. Eventually one will be found, of course -they always are- but three years with the coveted "first hack" spot unclaimed are rather telling.
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
     
utidjian
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status: Offline
Reply With Quote
Apr 2, 2004, 05:04 PM
 
Originally posted by Millennium:
Wrong. The app cannot set the machine to start the server at boot time, as it can on Windows. To do so would require authentication. This prevents a trojan from being able to set up a reliable backdoor, which severely lowers the utility of such trojans.
True. But only trivially so. The trojan, which would be started by a regular user, could background itself once the user logs out so that it keeps running even after they have logged out. It is true the trojan can not run when the machine is turned off (most all machines are at least that secure (except for wake-on-lan)) and it will not run immediately on bootup. It could be set to run immediately on the users login.

[snippage]


Apple needs to boast far and wide about its security. Heck; it should even post prizes for verifiable hacks. Eventually one will be found, of course -they always are- but three years with the coveted "first hack" spot unclaimed are rather telling.
We have about 250 Macs where I work. We all thought they were pretty secure by default. After the lockscreen buffer overflow problem (which did work) I decided to investigate the security a bit. This was at least a year ago. The lockscreen thing has long since been fixed. I went to one of the lab macs and opened a terminal. I typed:

nidump passwd .

I sent the result off to a different machine and ran John-the-Ripper on it. I got the admin and owner passwords inside of 2 hours. These did not work on the Xserves. But I did get a regular userid and password for one of the Xserves. Logged into Xserve1 remotely and ran the nidump command again, ground it through JtR and had the admin password inside of 30 minutes. Also got a userid and password that works on the second Xserve. Logged in and got root to Xserve2. So... from a few seconds on one machine and a couple of hours letting JtR do its thing I had admin rights on most of the 250 Macs.

I wrote all this up and sent it to the admins of those systems along with several suggestions on what they could do to fix it. They thanked me but decided it was too much hassle until they upgrade all of them to Panther.

I have thirty iMacs and a G5 in my department. They are "fixed" as soon as I find any weakness in their setup. I didn't count those as part of the 250.

The nidump thing has been common knowledge for at least 4 years. Most home users are relatively immune because it requires that the evildoer have access to the machine. It can be done via a trojan (the example program I posted earlier does it.) It has finally been fixed in Panther by using shadow passwords. BUT it only applies to new accounts or if you change the password since the upgrade. If a machine has a fresh install of Panther or came with Panther then all passwords are shadowed.
-DU-...etc...
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Apr 2, 2004, 10:48 PM
 
Originally posted by utidjian:
True. But only trivially so. The trojan, which would be started by a regular user, could background itself once the user logs out so that it keeps running even after they have logged out. It is true the trojan can not run when the machine is turned off (most all machines are at least that secure (except for wake-on-lan)) and it will not run immediately on bootup. It could be set to run immediately on the users login.
When you log out, all processes owned by you are killed off - including ones that have been backgrounded. Try putting a VNC server into the background and logging off.

You could just throw it into the login items list though, but I'm not sure if scripts can be added to this list. The virus is pretty obvious when it is sitting there in your dock.

Re: shadow passwords... how does NetInfo fit into this picture?
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Apr 2, 2004, 10:51 PM
 
Originally posted by Millennium:
Admittedly, an application-based firewall installed by default would be even better. Start off with no apps allowed to connect to the Net. As soon as an app tries, a dialog pops up explaining this, with the usual "Deny", "Allow Once", and "Always Allow" choices. If the file has a suspicious name (ending in .jpg.app or something similar), then alert the user to this. Authentication should be required, of course.

Such apps already exist, out in the third-party world. Unfortunately, neither Apple nor Microsoft has seen fit to bundle them in yet. That needs to change.
Doesnt' IPv6 networking do away with ports as we know them now (in addition to IP addresses)?

It sounds like this transition will help a whole hell of a lot.
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Apr 2, 2004, 11:00 PM
 
Originally posted by Bit Density:
This is interesting, but shows a misunderstanding of how modern viruses work in windows.

They do not use outlook (except for getting addresses), or the ISP's SMTP server, they install a small SMTP mail server on the system. Which is used to drop the mail into the mail infrastructure... The exact same thing can be done on a Mac. These little SMTP servers are also used as open relays for spammers.
Okay, my whole "piggybacking off of Outlook" thing was messed up. I actually knew that viruses create their own SMTP server, I just wasn't thinking carefully enough.

That does not mean that there are not exploits for the mac. Or that there will not be exploits for the mac. But it does meant that for now the Mac has practically less security issues.
Do you think there is any relationship to the number and severity of viruses to the difficulty of writing one? I mean, it is just so easy on Windows having free reign over the system as an admin.

I think there is... at least to the point where it is unlikely we'll see the churning out daily, all these variants and junk. With detterents preventing attachments from executing, and no Active-X to allow easy executing of executables off the internet with a simple dialog people have become so programmed to dismiss without reading carefully (I don't know why MS doesn't yank this silly feature), etc. the social engineering is more of a challenge.
     
 
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 12:11 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,