[allblue]

Are the easy days coming to an end for us Mac users?

http://news.bbc.co.uk/1/hi/technology/4739432.stm

[eevyl]

ZOMG! Go to the shelters! It is the apocalypse!

Err, no.

[shiff]

While I do not think it is time to head for the hills; a well written virus would absolutely spread like wildfire on the mac platform because alot of mac users think we are invincible and cant be touched by anything. A rude awakening will happen eventually.

Regardless everyone should have good antivirus software running and practice secure computing.

[jersey]

whoopy do.

[sieb]

yawn... Once again, these aren't virii, they are trojans. The usual FUD..

I guess its time for Apple to dump OSX and start selling XP on all their machines.......................

....

[shiff]

Actually this one is more like a worm; as it does try to propogate itself; just not very successfully. It is not a huge threat, but does show as OSX gets more popular; there will be more things like this and eventually there will be a threat. It is nothing to get paranoid about, but alot of mac users really need to drop the attitude that this platform is invincible as it is far from it.

[JKT]

Originally Posted by shiff

While I do not think it is time to head for the hills; a well written virus would absolutely spread like wildfire on the mac platform because alot of mac users think we are invincible and cant be touched by anything. A rude awakening will happen eventually.

Regardless everyone should have good antivirus software running and practice secure computing.

A well written virus would need to overcome some very tricky hurdles to be able to spread like wildfire on the Mac. To do so it would need to infect people's machines without them being aware that something was wrong and be able to self-propagate without users being aware that it was doing so, something that none of the exploits so far described this week are even remotely capable of doing (Oomp-A can't even get out of a LAN by itself, Inqtana is just a complete joke of an exploit that would need a huge number of people in the same local area to be incredibly, massively, stupendously, unimaginably stupid... possible of course , but highly improbable). If someone works out how to do that in OS X, then we can start worrying about worms and viruses spreading like wildfire but it hasn't happened yet and one suspects that it never will unless Apple gets/continues to be sloppy.

Trojans have been an acknowledged problem for everyone ever since Apple's iTunes 2 installer wiped some people's hard drives and Apple should have sorted out the issue of icons giving the wrong impression of a file's identity years ago. We all laughed at the person who wiped their hard drive trying to install Office from a 50KB file downloaded from a pirate site, but that should have started the alarms ringing at Apple. Obviously it did not. The rudest awakening has hopefully occurred in Cupertino this week as all of these exploits should never have been allowed to occur and the main culprit in all of them is the Finder and the way in which it handles and displays files.

[ghporter]

A well written virus would simply have to pretend to provide extended Applecare, coupons for free RAM upgrades, or something else desirable in a Mac and it would get all the traction it needed to infect a lot of Macs. We're a trusting bunch, as well as being pretty greedy for free stuff. Anyway, the "easy days" aren't over, just the days of getting by and staying gulible.

[Maflynn]

Originally Posted by sieb

yawn... Once again, these aren't virii, they are trojans. The usual FUD.

Call it what you will, they are a new occurance to us in OSX and they have the same destructive issues that a virus does. The days of being virus free for osx are over.

[chris v]

This article is just pointing out a security hole that theoretically could be used as an avenue of attack. No actual attacks are being reported. From the second paragraph: "Although no attackers were known to be exploiting the bug..."

Turn off "open safe files" in Safari. Like you should have done, the last time this came up a year ago.

[JMII]

Originally Posted by shiff

While I do not think it is time to head for the hills; a well written virus would absolutely spread like wildfire on the mac platform because alot of mac users think we are invincible and cant be touched by anything. A rude awakening will happen eventually.

Agreed - the day will come and it will be ugly.

Virus, Trojan, Malware, Spyware... call it whatever you wish but any process, script, program or app running on my machine without me knowing about it is NOT GOOD.

I guess this goes to show how popluar OSX has become, with the Intel Macs alot of *NIX guys are switching and looking to make a name for themselves as the "guy who brought down OSX".

Most Mac users I know (including me & my family) are always logged in as admin since that's how a default install of OSX leaves you. However at work we were wise and set-up individual users accounts and never let anyone run as admin.

[RevEvs]

From Article:

The risk to users from the virus is almost non-existent because the variants are only proof-of-concept bugs and none have been released to the wild.

[JKT]

Originally Posted by ghporter

A well written virus would simply have to pretend to provide extended Applecare, coupons for free RAM upgrades, or something else desirable in a Mac and it would get all the traction it needed to infect a lot of Macs. We're a trusting bunch, as well as being pretty greedy for free stuff. Anyway, the "easy days" aren't over, just the days of getting by and staying gulible.

This is simply untrue. It would hit about the first 10 to 100 people at most before it would be identified as a problem and it would get no further. It wouldn't be able to spread like wildfire because there are no exploits in OS X that allow this (as of yet, and hopefully that remains true). All these exploits from the past week share one common flaw - it is blindingly obvious that something has gone wrong because Terminal launches and does something instead of that app you thought should actually launch. Only one person from that 10 to 100 would have to be aware of this before it would be stopped dead in its tracks by the publicity.

Virus, Trojan, Malware, Spyware... call it whatever you wish but any process, script, program or app running on my machine without me knowing about it is NOT GOOD.

There haven't been any scripts that have run on anyone's machine yet that they didn't know about. They may not have known it would happen, but when it did they certainly knew that it had occurred.

[Rumor]

Figures that the same week I switch from Windows to Mac, a bunch of virus threats come out.

[chris v]

Originally Posted by Rumor

Figures that the same week I switch from Windows to Mac, a bunch of virus threats come out.

There was one trojan that affected maybe 10 users, there was another proof-of-concept that could propagate by blutooth IF you accepted a connection without knowing where it was from, and a potential hole was found in Safari. It's good to keep up to date on these things, as ignorance is no excuse, but "a bunch of virus threats" is overstating the actual situation.

Actually, the hole in Safari is how the first trojan got in, and it's not a new hole. So really, we had two issues.

[mduell]

Similar exploits have appeared before in Safari (the help file exploit), but it sounds like they just put a band-aid on it instead of fixing the real problem. The "real problem" has been public for about 21 months now... perhaps with exploits in the wild Apple will change the default behavior now.

This exploit is a lot like the most common attack vector for the WMF exploit... the OS/app uses the extension to decide the file is safe, then uses the content of the file to determine how to run it; a terrible idea all around.

[Rumor]

I guess I wasn't sarcastic enough in my last post.

[CharlesS]

Just turn off the "open 'safe' files" feature in Safari and you're immune to this.

You should do this anyway; there's really no such thing as a "safe" file.

[TETENAL]

Originally Posted by CharlesS

Just turn off the "open 'safe' files" feature in Safari and you're immune to this.

You can still be tricked into clicking the downloaded ".mov" since it looks like a regular movie file including the correct extension for a movie. Apple needs to fix this issue properly

Originally Posted by CharlesS

You should do this anyway; there's really no such thing as a "safe" file.

If it works correclty the feature can even increase security, because it let's the user know when to be suspicious about a file. Unfortunately it fails when the shebang line is missing in the script.

[demibob]

safe files are things like videos and photos right. How can someone put a virus in that.

[Todd Madson]

By making it appear as if it is a JPEG or movie and it is actually an executable.

[TETENAL]

Originally Posted by demibob

safe files are things like videos and photos right. How can someone put a virus in that.

Click here for the demo:

http://www.heise.de/security/dienste.../Heise.jpg.zip

[shiff]

How does making that change in safari make you absolutely immune? All that does is stop the auto extract when you download it.

What if you download the "program" and Finder thinks its a word doc and the icon looks like a word doc. Many people would just double click to open it and that will execute the script. The next step would be for someone to figure out a way to propogate it via email or another way.

It is not time to worry or anything, but it is an interesting topic and does show things that could happen in the future.

[ghporter]

Originally Posted by JKT

This is simply untrue. It would hit about the first 10 to 100 people at most before it would be identified as a problem and it would get no further. It wouldn't be able to spread like wildfire because there are no exploits in OS X that allow this (as of yet, and hopefully that remains true).

I'm assuming two things in the post you reference. First, that an expoit of some kind is found, and second that it keeps the user from being able to pass on "hey, this thing's screwed up my computer." Both assumptions are valid-and the second one is even probably in a "well written virus" scenario. History shows that the most damaging viruses have indeed prevented timely reporting of the problem by disabling the computer (the "I Love You" issue is a good example).

And not to attack you, but your second statement about no exploits is a major Mac problem: hopefulness. I'm not saying "dispair!" by any means. But hopfulness is a poor strategy for keeping your computer running, and hoping no exploit is found is not useful. Being prepared for one being found IS useful. And that means that Mac users should immediately start being wary of unknown content, content from unknown sources, and "too good to be true" materials. It's not rocket science, it's just the same sort of thing we'd do when offered a "special rate, just for you!" on a credit card mailing.

[JKT]

Originally Posted by ghporter

I'm assuming two things in the post you reference. First, that an expoit of some kind is found, and second that it keeps the user from being able to pass on "hey, this thing's screwed up my computer."<snip>

That isn't the way it read to me. Your post implied (to me) that all that was needed was for some simplistic social engineering to be required for a virus to spread like wildfire, not that it would also have to be well written. If I misunderstood you, my bad, but it is just how it read to me. Hence my response.

[ghporter]

Cool. Maybe I should have been more explicit-my bad too.

I've been a Windows user since (shudder!) version 1 in 1985. I've been responsible for computers security in a number of large and critical "corporate settings." I was part of a large response team that dealt with a very large campus that was truly infested with the "I Love You" malware-and we implemented a lot of "should have already been in place" computer security while we eradicated that particular irritation. I'm also a Computer Scientist (it says so on my diploma! ). I've seen a lot of bad stuff aimed at messing up computers for anything from script writer jollies to industrial espionage to intentional damage to deep infrastructure. All of this tells me that nothing is secure if the users are not savvy and at least passingly suspicious of irregular or out of the ordinary materials. Much like the way we should all treat unsolicited postal mail, particularly if it offers something that's "too good to be true," we must all consider "neat and cool" things online to be suspect unless vetted, and expect "too good to be true" issues online to be hazardous and even dangerous unless proven otherwise.

Of course I get kind of hot under the collar when people say "there's no value in any antivirus for the Mac because there's nothing for it to find." Dismissing a whole class of applications, particularly because one doesn't understand how they might work effectively without "something to look for" is counterproductive, and reinforces many people's belief that they are indeed invulnerable. Mac users are NOT invulnerable; we're just hooked on an OS that's particularly well built and that has not (at least until now) attracted enough negative attention to be bathed in nasty stuff.

[macintologist]

Originally Posted by TETENAL

Click here for the demo:

http://www.heise.de/security/dienste.../Heise.jpg.zip

That's f*cked up.

[jwoods]

I'm new to the macs, and OS X in general, (but not *nixes)........why do people use accounts with admin priviledges for general day to day work. You are better off having seperate user and admin accounts.

From what I've read, nothing presented is a cause for alarm. Yes the information is nice, and it helps to be aware of what could be out there. So far, all of them require some sort of user intervention (meaning, you have to actively participate in the problem).

[alphasubzero949]

The problem is not running as admin (though you do have a point), it's Apple's reliance on the old crap from the OS 9 days to please the thalos, Siracusas, and fellow "brothers" of the Mac cult. Had OS X been a direct port from NeXTSTEP, sans the InputManagers exploit, Oompa and this 'Safari' exploit would have never happened.

People who run sandboxed accounts can still download and click on an innocuous file hiding a rm -rf ~ script (WARNING: Do not execute this!). You can't patch user stupidity.

However, this latest exploit IS a cause for alarm, because it requires no user interaction whatsoever.

OS X is flawed in several aspects:

- It permits admins access to important root level folders they should have no business mucking around with anyway without privilege escalation (i.e. password prompts).

- Safari, by default, allows for drive-by downloading, which is just stupid. Removing AutoOpenSafeDownloads in the plist will return Safari to its default (of driveby downloading). You must SPECIFICALLY include '-bool NO.'

- Pasting custom icons - and having Finder treat those files as if they really were what they aren't, is unacceptable. This 'feature' is table scrap from OS 9 and needs to die.

- ~/Applications is not included in a default user account and ought to be. You don't just go sticking all of your apps in /Applications.

[CharlesS]

Originally Posted by alphasubzero949

- Safari, by default, allows for drive-by downloading, which is just stupid. Removing AutoOpenSafeDownloads in the plist will return Safari to its default (of driveby downloading). You must SPECIFICALLY include '-bool NO.'

Uh, all you have to do is uncheck a check box in Safari's prefs. No plist hacking necessary.

- Pasting custom icons - and having Finder treat those files as if they really were what they aren't, is unacceptable. This 'feature' is table scrap from OS 9 and needs to die.

Uh, guess what? An application can have any icon it wants anyway, even without pasting custom icons. And setting a custom application to open a file with is a really nice feature. Perhaps a better way for Apple to fix this would be to make the information that tells the computer to open a file with a custom app in the LaunchServices database instead of in the file itself. That way, it would be non-transplantable to other machines, and each user could actually have his/her own setting re: what app to open a file with. But taking away functionality that is really very useful isn't a good solution.

[Back up 15 and punt]

Has it occurred to anybody that the source of these half baked malware are the security companies themselves. It wouldn't surprise me because they are out to sell you and me software. No matter what happens its going to be very rough for them sell anything to a Mac user.

[Hal Itosis]

Originally Posted by alphasubzero949

custom icons

Below illustrates something a bit different than the current exploits,
but take a look at the icons on the following <ahem> "documents":

/Library/Documentation/RemoteDesktop/Read Me
/Library/Documentation/iMovie/iMovie Getting Started
/Library/Documentation/Applications/iWork/Pages User Guide
/Library/Documentation/Applications/iPhoto/iPhoto Getting Started
/Library/Documentation/Applications/GarageBand/GarageBand GettingStarted

Do a Get Info on them as well. You can't delete the icons,
because they're not customized... they're bundled inside.

--

The deal with Heise.jpg is a bit different. The icon is 'implied' from
the .jpg extension... but a custom "Open with:" was 'applied' by the
original user... which added a special resource to the file.

As someone somewhere put it...
"LaunchServices' left hand doesn't
know what its right hand is doing."

[Big Mac]

There's no way to completely prevent trojans, but what Apple can do is better alert the user before the malicious code is launched. How about this solution, guys:

A kind of tool-tip similar to the yellow one that reveals the full name of a file in the Finder when moused over. This one would display regular Get Info information when the user moused over it with the full name (with extension) of the file or application, what type it appears to be, whether or not it has a custom icon and if it's a file, what application it's associated with.

[olePigeon]

Originally Posted by Big Mac

There's no way to completely prevent trojans, but what Apple can do is better alert the user before the malicious code is launched. How about this solution, guys:

A kind of tool-tip similar to the yellow one that reveals the full name of a file in the Finder when moused over. This one would display regular Get Info information when the user moused over it with the full name (with extension) of the file or application, what type it appears to be, whether or not it has a custom icon and if it's a file, what application it's associated with.

The OS could also be smart about file extensions. If the file is a ".JPG," or a ".TXT" or whatever, if you open it and it's an application or it modifies another file, interrupt and put up a dialog:

"This file is attempting to modify other files, documents, and/or directories. The ".JPG" extension is usually associated with an image file does not normally exhibit this kind of behavior. Do you wish to proceed?"

So if someone makes an App but gives it a .JPG extension (somehow), the OS would warn them.

However, some kind of visual clue that you are going to open up an Application and not any other kind of file would handy.

[ghporter]

Originally Posted by Back up 15 and punt

Has it occurred to anybody that the source of these half baked malware are the security companies themselves. It wouldn't surprise me because they are out to sell you and me software. No matter what happens its going to be very rough for them sell anything to a Mac user.

That's "tinfoil beanie" talk. None of the security companies would really benefit from even a lame virus. They benefit from preventing infections, and frankly they all come up with patches and signatures just about as quickly, so nobody gets a "name" for "stopping the latest virus." Really.

From the Windows world, viruses come from a number of sources. There are "script kiddies" that use virus writing software (really!). This stuff builds different malicious payloads into virus shells, often very well crafted ones. Script kiddies spend their time comparing their nonexistent huevos in terms of number of infections with their own "tag." Another source is malware designed to find and extract things like credit card numbers and personal information-these are usually used for identity theft purposes. Finally there's the espionage angle. Really. A number of Windows viruses are simply intended to find out what's on your computer and then summarize it and phone home. It's usually pretty easy to see where a virus came from and what it's for once you isolate it.

Considering how difficult it can be to run a Windows computer with all the crap floating around that can do seriously bad things to it, you'd think that any security company would have already "made its mark" and done what you suggest. It just doesn't happen.

[Back up 15 and punt]

Originally Posted by ghporter

That's "tinfoil beanie" talk. None of the security companies would really benefit from even a lame virus. They benefit from preventing infections, and frankly they all come up with patches and signatures just about as quickly, so nobody gets a "name" for "stopping the latest virus." Really.

From the Windows world, viruses come from a number of sources. There are "script kiddies" that use virus writing software (really!). This stuff builds different malicious payloads into virus shells, often very well crafted ones. Script kiddies spend their time comparing their nonexistent huevos in terms of number of infections with their own "tag." Another source is malware designed to find and extract things like credit card numbers and personal information-these are usually used for identity theft purposes. Finally there's the espionage angle. Really. A number of Windows viruses are simply intended to find out what's on your computer and then summarize it and phone home. It's usually pretty easy to see where a virus came from and what it's for once you isolate it.

Considering how difficult it can be to run a Windows computer with all the crap floating around that can do seriously bad things to it, you'd think that any security company would have already "made its mark" and done what you suggest. It just doesn't happen.

If your not use to viruses and they suddenly start showing up it won't take very long before the average user panics. Tinfoil beanie talk it may sound to you but the average user doesn't have your intelligence. So how about you getting off of your high horse and maybe try to think a little differently. Say more the like the average user. By the way, whether its true or not, the media has been having a field day with this and you know how they can scare the hell out of people. Not to mention mislead the general public.

[jbleisure]

Here's how the Guardian newspaper (UK) reported the worms:

http://technology.guardian.co.uk/wee...715261,00.html

[CharlesS]

That article says this:

First up was a worm dubbed Leap-A or Oomp-A, which spreads via the iChat instant messaging program, and exploits a loophole that Apple created for software developers to let them load code into programs. Malware writers realised they could do that, too.

No, Apple did not create the InputManagers folder for software developers to let them load arbitrary code into programs. They created it for software developers to create input managers for the text input management system. It was not supposed to be used to do haxie-like things. People have abused the InputManagers system in this way, and the virus writers have taken advantage of this hack as well.

[JKT]

Well the article has a number of inaccuracies in it, but at least the tone is a good one...

[TETENAL]

Originally Posted by CharlesS

No, Apple did not create the InputManagers folder for software developers to let them load arbitrary code into programs.

The article didn't say "arbitrary". And it is correct. Apple created the InputManagers folder to let developers load code (namely input managers) into programs.

[CharlesS]

Originally Posted by TETENAL

The article didn't say "arbitrary". And it is correct. Apple created the InputManagers folder to let developers load code (namely input managers) into programs.

It's quite clear what the article meant... they weren't talking about input managers there. They were talking about inserting any code they liked.

Otherwise, try to read the rest of the quote in context. Malware writers realized they could do that too... write input managers! Not.

[alphasubzero949]

Originally Posted by Hal Itosis

Below illustrates something a bit different than the current exploits,
but take a look at the icons on the following <ahem> "documents":

/Library/Documentation/RemoteDesktop/Read Me
/Library/Documentation/iMovie/iMovie Getting Started
/Library/Documentation/Applications/iWork/Pages User Guide
/Library/Documentation/Applications/iPhoto/iPhoto Getting Started
/Library/Documentation/Applications/GarageBand/GarageBand GettingStarted

Do a Get Info on them as well. You can't delete the icons,
because they're not customized... they're bundled inside.

--

The deal with Heise.jpg is a bit different. The icon is 'implied' from
the .jpg extension... but a custom "Open with:" was 'applied' by the
original user... which added a special resource to the file.

As someone somewhere put it...
"LaunchServices' left hand doesn't
know what its right hand is doing."

Asinine. What was so difficult about making those real PDFs?

Apple has only themselves to blame in this matter.

[TETENAL]

Originally Posted by CharlesS

It's quite clear what the article meant... they weren't talking about input managers there. They were talking about inserting any code they liked.

No, they didn't say "any code". They said "code", meaning input managers. But they didn't say "input managers" because 99.99% of their readership doesn't know what an input manager is.

Originally Posted by CharlesS

Otherwise, try to read the rest of the quote in context. Malware writers realized they could do that too... write input managers! Not.

Well obviously malware authors write malware. So the meaning of "code" changed. They opposed the clever use of input managers to write malware instead of something useful with a clever implied change of the word "code" to malware from something good. That's good writing style.

[alphasubzero949]

Speaking of InputManagers, here's one that will stop a shell command from automatically executing from the Finder:

http://nirs.freeshell.org/safe-terminal/

It also requires that you Cmd+N to open a new shell in Terminal.