When OSX Worms Attack!
Dave G. | February 28th, 2006 | Filed Under: Defenses, Malware
OS X security is very popular to talk about right now. On one side, you have rabid Apple fans who insist that OS X is completely secure. On the flip side, you have security experts claiming that OS X is swiss cheese. I doubt it will surprise anyone that I say its somewhere in between. Let me throw my hat into the ring on this subject, and we will start with the latest OS X issues:
- Leap.A: Seems to be a genuine, in-the-wild worm. Not clear to me if this was just posted somewhere or if people genuinely got infected. Even if it was running around on the Internet, I suspect the number of infected computers was quite low.
- InqTana.A,B,C: Grandstanding. Written so that it could be sent to AV vendors and be talked about in mailing lists. Well documented techniques, or variations on well documented techniques. Only existed in a lab.
- Safari/Mail Vulnerability: Far more interesting. This is a serious vulnerability that needs to be fixed. If you are Mac user, I would at the very least uncheck ‘Open Safe Files’ in Safari preferences. I don’t understand why Apple isn’t advising people on this better. This vulnerability is public, trivial to exploit, and we are at the 7 day mark.
blog
April 8th, 2006 11:02 pmI tend to agree… but if you consider that MOST OSX deployments consist of a single user with ADMIN rights (write access to /Library) — OSX fairs QUITE well. Compare that to a Windows box running with only Administrator accounts or a FOSS box running with only root or wheel based accounts.
Considering the wide-scale usability of the OS (fix while running / code injection into a process that is supported and not a hack) - fix and continue, inputmanager/simbl plugins, etc, it is still quite amusing that through creative attacks like Oompa, they are still social — required user to spread them, not self-propagating between machines.
Maybe this will change, but the current state of the nation shows there’s a lot more FUD wrt OSX then accuracy in both media and security circles.
You bring up a good point about the BOMArchiver tricking LaunchServices into running scripts and that Apple insists on enabling Safe Open Files by default. This is entirely STUPID and I wish they would look at the client side as they look at the service side — closed by default.
Mark Grimes | Homepage | 02.28.06 - 2:28 pm | #
1) Leap.A required root privs to work IIRC, and you had to give it those perms when it runs. Lame.
2) Go get Paranoid Android if you’re worried about LaunchServices, it seems to have a decent approach to addressing the problem while we wait for a official solution from Apple. It’s even open source so you can see how it works and improve it if you have a mind to.
Martin Roesch | Homepage | 02.28.06 - 8:19 pm | #
And now today’s Security Update for 10.4.5 addresses the aforementioned vulnerability (CVE-2006-0394) wrt Safari/LaunchServices.
Mark Grimes | Homepage | 03.01.06 - 5:30 pm | #
Leave a reply