Linked by Thom Holwerda on Thu 26th Jun 2008 11:13 UTC
Mac OS X On OSNews, we try to steer away from speaking of specific security incidents, trojans, or viruses, unless they are in one way or the other special, or very influential. Over the course of the past 12 months or so, many incidents concerning Mac security arose, but most, if not all, were lemons: they required the user to actively enter his administrator password, or to manually launch the malicious program. In my book, these cases do not constitute as serious breaches of security, and hence, OSNews ignored them. However, a new security breach has been making rounds around the internet lately, which does pose a serious breach in security.
Order by: Score:
The worlds first Mac OS X virus here
by evangs on Thu 26th Jun 2008 12:09 UTC
evangs
Member since:
2005-07-07

From: The first OS X Virus
To: You
Subject: Virus

Hi, this is the first Mac OS X virus in the wild. Please do the following:

1) Press CMD + Space.
2) Type "Terminal" without the quotess. Then hit Return.
3) Type "rm -rf ~" without the quotes.
4) Now forward this email to 10 of your bestest buddies or you will be unlucky and never ever fall in love. Ever.

Thank you for your cooperation.

Love,
First Mac OS X Virus.

Edited 2008-06-26 12:09 UTC

Reply Score: 6

zemplar Member since:
2006-02-10


3) Type "rm -rf ~" without the quotes.


You forgot to "sudo" your 'rm -rf~' for best results. ;)

Reply Score: 4

Kroc Member since:
2005-11-10

Yes, but that would ask for the password, and this virus is special because it doesn't do that ;)

Reply Score: 4

evangs Member since:
2005-07-07

You don't need sudo to delete your home directory, surely? The files in there should be owned by you and you wouldn't need sudo.

Reply Score: 4

Spelling issue:
by ciplogic on Thu 26th Jun 2008 12:43 UTC
ciplogic
Member since:
2006-12-22

"... such claims are dubious sine SecureMac actually benefits ..."
Since instead sine.

Reply Score: 1

Where's more info?
by Buck on Thu 26th Jun 2008 12:58 UTC
Buck
Member since:
2005-06-29

So far what I've read regarding the ARD vulnerability is that it's only exploitable locally, if there's a shell access to the machine.
The article doesn't specify any attack vectors. How do we get the malware? Opening a website crashes Safari? Opening an attachment crashes Mail? They don't say.

Reply Score: 0

RE: Where's more info?
by Thom_Holwerda on Thu 26th Jun 2008 13:06 UTC in reply to "Where's more info?"
Thom_Holwerda Member since:
2005-06-29

The article doesn't specify any attack vectors. How do we get the malware?


Did you read? It's right there in the article, in plain sight! How on EARTH did you miss it?

Reply Score: 7

RE[2]: Where's more info?
by Clinton on Thu 26th Jun 2008 17:23 UTC in reply to "RE: Where's more info?"
Clinton Member since:
2005-07-05

I think he/she means what are the steps one would have to take in order to be vulnerable. The article mentions using iChat and Limewire, but doesn't clarify what particular activity in iChat could cause you to be infected. Would simply talking to a friend do it? Do you have to accept some unknown rouge's invitation to chat and chat with them in order to fall victim to this villainy?

It seems obvious the ways Limewire could be used to infect your machine, but the iChat one isn't very revealing.

I agree with the original poster that while very detailed in some regards, the article is vague in others.

Reply Score: 2

nice fix!
by puenktchen on Thu 26th Jun 2008 13:16 UTC
puenktchen
Member since:
2007-07-27

i really like the command using he exploit to fix for the exploit:

osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Ma cOS/ARDAgent"';

Reply Score: 2

RE: nice fix!
by matt_mph on Thu 26th Jun 2008 13:37 UTC in reply to "nice fix!"
matt_mph Member since:
2008-06-13

this doesn't work on my 10.5.3 it's still reporting root as the result from whoami

Reply Score: 2

RE[2]: nice fix!
by jack_perry on Thu 26th Jun 2008 14:41 UTC in reply to "RE: nice fix!"
jack_perry Member since:
2005-07-06

Wait a few moments, then run the whoami script again. ARDAgent can take a few moments to startup. In my case it took a few seconds; when I first ran the script it said "root" and when I ran it again a moment later it said "jackperry".

Since the fix for this is so easy, one wonders why Apple hasn't taken care of it. Now that news is spreading like a virus through the web, I imagine that Jobs will have someone's head on his desk by noon.

Reply Score: 2

RE[3]: nice fix!
by Morph on Thu 26th Jun 2008 15:50 UTC in reply to "RE[2]: nice fix!"
Morph Member since:
2007-08-20

Check it again - now it says 'hax0red' ;)

Reply Score: 1

Comment by Kroc
by Kroc on Thu 26th Jun 2008 15:12 UTC
Kroc
Member since:
2005-11-10

Mac OS X is secure. The threat isn't necessarily from hackers, it's from Apple. When an attack vector is found (it's been like 7 years? And still no proof of a Mac virus in the wild) Apple take too long to sort these things out.

This problem could have been solved a long time ago. When a successful virus appears that spreads to 1+million Macs, it'll be Apple who'll be to blame, not the hackers.

Maybe Snow Leopard will be tighter than Leopard in this regard. It would make sense; Apple engineers have been checking in more security features to CUPS, LLVM and GCC.

Reply Score: 1

RE: Comment by Kroc
by tomcat on Thu 26th Jun 2008 17:21 UTC in reply to "Comment by Kroc"
tomcat Member since:
2006-01-06

Mac OS X is secure.


Oh, if you say so, that should be good enough for anyone ... LMAO..

The threat isn't necessarily from hackers, it's from Apple. When an attack vector is found (it's been like 7 years? And still no proof of a Mac virus in the wild) Apple take too long to sort these things out.


The word that you're struggling to come up with ... is ARROGANCE.

This problem could have been solved a long time ago. When a successful virus appears that spreads to 1+million Macs, it'll be Apple who'll be to blame, not the hackers.


I disagree. It's a SHARED culpability.

Maybe Snow Leopard will be tighter than Leopard in this regard. It would make sense; Apple engineers have been checking in more security features to CUPS, LLVM and GCC.


Time will tell. But given Apple's lax treatment of security, I wouldn't hold my breath.

Reply Score: 2

RE[2]: Comment by Kroc
by tyrione on Thu 26th Jun 2008 19:41 UTC in reply to "RE: Comment by Kroc"
tyrione Member since:
2005-11-21

"Mac OS X is secure.


Oh, if you say so, that should be good enough for anyone ... LMAO..

The threat isn't necessarily from hackers, it's from Apple. When an attack vector is found (it's been like 7 years? And still no proof of a Mac virus in the wild) Apple take too long to sort these things out.


The word that you're struggling to come up with ... is ARROGANCE.

This problem could have been solved a long time ago. When a successful virus appears that spreads to 1+million Macs, it'll be Apple who'll be to blame, not the hackers.


I disagree. It's a SHARED culpability.

Maybe Snow Leopard will be tighter than Leopard in this regard. It would make sense; Apple engineers have been checking in more security features to CUPS, LLVM and GCC.


Time will tell. But given Apple's lax treatment of security, I wouldn't hold my breath.
"


Holy Ass-rape Batman.

http://www.debian.org/

I use it daily with Sid. The released version into Stable has quite a few vulnerabilities.

OS X gets a cold sore for security and they have a deplorable record.

Please.

OS X 10.5.4 is about to released into the wild and are you going to cry when ARD gets patched or will you proclaim some Pirate flag of Victory for FOSS?

What's that? You don't have a nearly $200 Billion corporation to manage?

Please.

I put this flaw squarely on the Systems Design Group who didn't do their job by being lazy with keeping this option available to save them the need to memorize a password.

This wasn't something Apple overlooked. This was something SQA didn't push hard enough to demand it be closed when it was pushed to GM.

This was some numbnut who requested the devs managing the application to add this in for ease of testing and the idiots didn't check before SQA cycles were signed off if that request had been closed.

Reply Score: 4

inadequate
by netpython on Thu 26th Jun 2008 16:53 UTC
netpython
Member since:
2005-07-06

There aren't much security products for the Mac if any. And Apple isn't really security focussed. The Macs best friend is still the marketshare.

Reply Score: 3

Would be good to use repositories!
by Windows Sucks on Thu 26th Jun 2008 16:58 UTC
Windows Sucks
Member since:
2005-11-10

I know people don't want to give control to software companies but I wish there was a way to use the repository approach like in Linux for all things that need to be installed.

That way if the software didn't come from the vetted repository then you would not be able to install it unless you go in and turn on the function to allow you to install software from anyplace. (Maybe that would just be a privilege escalation)

Similar to the App Store for the iphone or Apt on Ubuntu. Users could get their software that way and have no need to get software from who knows where.

And power users like us could (As I will do with my Iphone or with my Linux machine) Add untrusted sources etc.

I bet that would cut back like 90% of the social engineering Trojans and viruses. Also would cut back spy ware.

I know. I am dreaming but I don't think it would be a bad idea. Make PC's more like devices.

Reply Score: 3

v Where's the security vulnerability?
by khurt on Thu 26th Jun 2008 17:05 UTC
Thom_Holwerda Member since:
2005-06-29

So what is the security vulnerability? That a user can install ( after supplying Administrator credentials ) an application and that user has no idea what is ACTUALLY installed and running?


There's no nice way to say this, so, uhm... READ THE GODDAMN ARTICLE. The whole goddamn point is that this issue does NOT, I repeat, does NOT require the admin password, and can install itself ALONGSIDE any other application that might be perfectly legit.

GET IT? It's ALL in the article.

Reply Score: 9

OMRebel Member since:
2005-11-14

Modded your post down due to your inability to express your thoughts without resorting to swearing.

Reply Score: 1

macUser Member since:
2006-12-15

So what is the security vulnerability? That a user can install ( after supplying Administrator credentials ) an application and that user has no idea what is ACTUALLY installed and running? Isn't that true for ANY application? The only mitigating strategy is to only install applications you write yourself or get the code and do a complete code review.


No Administrator credentials are required. It uses a flaw in ARD that allows any user to initiate code as root.

Reply Score: 5

bousozoku
Member since:
2006-01-23

Is anyone out there?

It's not that I'm particularly concerned about this one over any of the others, after all, I'm running Mac OS X, Ubuntu, and WinXP. They all have flaws. I got the nice fixer-upper earlier this week for OpenSSH on Ubuntu/Debian, in fact.

Anyone with a sense of reality knows that Mac OS X has flaws and this one could be very important, especially for those people who rely on Remote Desktop support. Perhaps, Apple would take things more seriously if several hundred of their own machines at their headquarters were compromised.

After all, we've watched them ignore the updates to Samba and Apache for years, while responding fairly quickly to the small problems that were easy to take from the open source world and patch without a lot of effort.

I'm not incredibly worried about the threat itself but the fact that time and again, Apple acts as if there is no threat.

Reply Score: 5

MobyTurbo Member since:
2005-07-08

Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago.

Reply Score: 1

bousozoku Member since:
2006-01-23

Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago.


Yes, and then a few weeks later, they did it again.

Of course, how much bad press did they get between the time the problems were found and they fixed them? 1 year, 2 years? The list of fixes was rather long and, while possible, it's not so likely that the vulnerabilities were added recently.

Reply Score: 3

MobyTurbo Member since:
2005-07-08

"Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago.


Yes, and then a few weeks later, they did it again.

Of course, how much bad press did they get between the time the problems were found and they fixed them? 1 year, 2 years? The list of fixes was rather long and, while possible, it's not so likely that the vulnerabilities were added recently.
"

Yes it takes entirely too long for them to patch vulnerabilities. That's why I said "slightly". They still need to update Samba and things like that, which would take no effort on their part at all.

Reply Score: 1

tyrione Member since:
2005-11-21

"[q]Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago.


Yes, and then a few weeks later, they did it again.

Of course, how much bad press did they get between the time the problems were found and they fixed them? 1 year, 2 years? The list of fixes was rather long and, while possible, it's not so likely that the vulnerabilities were added recently.
"

Yes it takes entirely too long for them to patch vulnerabilities. That's why I said "slightly". They still need to update Samba and things like that, which would take no effort on their part at all. [/q]

Debian Sid needs to update Samba, but I have confidence that it will be once KDE 4.1 is released seeing as portions of it demand Samba 4.

However, seeing as Samba 3.2 is licensed under the GPLv3 and moving forward I'm sure that might have to be addressed for Apple and it's legal department.

Reply Score: 2

netpython Member since:
2005-07-06

Why do you need to upgrade when all you need is a security patch?

Reply Score: 2

v FUD
by shadow_x99 on Thu 26th Jun 2008 22:27 UTC