OSNews:

OSNews: http://www.osnews.com/story/19922/New_Trojan_Leverages_Unpatched_Mac_Flaw Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Wed, 25 Nov 2009 12:21:16 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com The worlds first Mac OS X virus here http://osnews.com/thread?320212 http://osnews.com/thread?320212 From: The first OS X Virus
To: You
Subject: Virus

Hi, this is the first Mac OS X virus in the wild. Please do the following:

1) Press CMD + Space.
2) Type "Terminal" without the quotess. Then hit Return.
3) Type "rm -rf ~" without the quotes.
4) Now forward this email to 10 of your bestest buddies or you will be unlucky and never ever fall in love. Ever.

Thank you for your cooperation.

Love,
First Mac OS X Virus.Edited 2008-06-26 12:09 UTC Thu, 26 Jun 2008 12:09:00 GMT donotreply@osnews.com (evangs) Comments Spelling issue: http://osnews.com/thread?320220 http://osnews.com/thread?320220 "... such claims are dubious sine SecureMac actually benefits ..."
Since instead sine. Thu, 26 Jun 2008 12:43:00 GMT donotreply@osnews.com (ciplogic) Comments Where's more info? http://osnews.com/thread?320223 http://osnews.com/thread?320223 So far what I've read regarding the ARD vulnerability is that it's only exploitable locally, if there's a shell access to the machine.
The article doesn't specify any attack vectors. How do we get the malware? Opening a website crashes Safari? Opening an attachment crashes Mail? They don't say. Thu, 26 Jun 2008 12:58:00 GMT donotreply@osnews.com (Buck) Comments RE: Where's more info? http://osnews.com/thread?320224 http://osnews.com/thread?320224

The article doesn't specify any attack vectors. How do we get the malware?

Did you read? It's right there in the article, in plain sight! How on EARTH did you miss it? Thu, 26 Jun 2008 13:06:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments nice fix! http://osnews.com/thread?320226 http://osnews.com/thread?320226 i really like the command using he exploit to fix for the exploit:

osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Ma cOS/ARDAgent"'; Thu, 26 Jun 2008 13:16:00 GMT donotreply@osnews.com (puenktchen) Comments RE: nice fix! http://osnews.com/thread?320228 http://osnews.com/thread?320228 this doesn't work on my 10.5.3 it's still reporting root as the result from whoami Thu, 26 Jun 2008 13:37:00 GMT donotreply@osnews.com (matt_mph) Comments RE: The worlds first Mac OS X virus here http://osnews.com/thread?320233 http://osnews.com/thread?320233

3) Type "rm -rf ~" without the quotes.

You forgot to "sudo" your 'rm -rf~' for best results.

Thu, 26 Jun 2008 14:16:00 GMT donotreply@osnews.com (zemplar) Comments RE[2]: nice fix! http://osnews.com/thread?320235 http://osnews.com/thread?320235 Wait a few moments, then run the whoami script again. ARDAgent can take a few moments to startup. In my case it took a few seconds; when I first ran the script it said "root" and when I ran it again a moment later it said "jackperry".

Since the fix for this is so easy, one wonders why Apple hasn't taken care of it. Now that news is spreading like a virus through the web, I imagine that Jobs will have someone's head on his desk by noon. Thu, 26 Jun 2008 14:41:00 GMT donotreply@osnews.com (jack_perry) Comments RE[2]: The worlds first Mac OS X virus here http://osnews.com/thread?320238 http://osnews.com/thread?320238 Yes, but that would ask for the password, and this virus is special because it doesn't do that

Thu, 26 Jun 2008 15:09:00 GMT donotreply@osnews.com (Kroc) Comments Comment by Kroc http://osnews.com/thread?320240 http://osnews.com/thread?320240 Mac OS X is secure. The threat isn't necessarily from hackers, it's from Apple. When an attack vector is found (it's been like 7 years? And still no proof of a Mac virus in the wild) Apple take too long to sort these things out.

This problem could have been solved a long time ago. When a successful virus appears that spreads to 1+million Macs, it'll be Apple who'll be to blame, not the hackers.

Maybe Snow Leopard will be tighter than Leopard in this regard. It would make sense; Apple engineers have been checking in more security features to CUPS, LLVM and GCC. Thu, 26 Jun 2008 15:12:00 GMT donotreply@osnews.com (Kroc) Comments RE[2]: The worlds first Mac OS X virus here http://osnews.com/thread?320242 http://osnews.com/thread?320242 You don't need sudo to delete your home directory, surely? The files in there should be owned by you and you wouldn't need sudo. Thu, 26 Jun 2008 15:42:00 GMT donotreply@osnews.com (evangs) Comments RE[3]: nice fix! http://osnews.com/thread?320243 http://osnews.com/thread?320243 Check it again - now it says 'hax0red'

Thu, 26 Jun 2008 15:50:00 GMT donotreply@osnews.com (Morph) Comments inadequate http://osnews.com/thread?320250 http://osnews.com/thread?320250 There aren't much security products for the Mac if any. And Apple isn't really security focussed. The Macs best friend is still the marketshare. Thu, 26 Jun 2008 16:53:00 GMT donotreply@osnews.com (netpython) Comments Would be good to use repositories! http://osnews.com/thread?320252 http://osnews.com/thread?320252 I know people don't want to give control to software companies but I wish there was a way to use the repository approach like in Linux for all things that need to be installed.

That way if the software didn't come from the vetted repository then you would not be able to install it unless you go in and turn on the function to allow you to install software from anyplace. (Maybe that would just be a privilege escalation)

Similar to the App Store for the iphone or Apt on Ubuntu. Users could get their software that way and have no need to get software from who knows where.

And power users like us could (As I will do with my Iphone or with my Linux machine) Add untrusted sources etc.

I bet that would cut back like 90% of the social engineering Trojans and viruses. Also would cut back spy ware.

I know. I am dreaming but I don't think it would be a bad idea. Make PC's more like devices. Thu, 26 Jun 2008 16:58:00 GMT donotreply@osnews.com (Windows Sucks) Comments Where's the security vulnerability? http://osnews.com/thread?320253 http://osnews.com/thread?320253 So what is the security vulnerability? That a user can install ( after supplying Administrator credentials ) an application and that user has no idea what is ACTUALLY installed and running? Isn't that true for ANY application? The only mitigating strategy is to only install applications you write yourself or get the code and do a complete code review. Thu, 26 Jun 2008 17:05:00 GMT donotreply@osnews.com (khurt) Comments RE: Comment by Kroc http://osnews.com/thread?320254 http://osnews.com/thread?320254

Mac OS X is secure.

Oh, if you say so, that should be good enough for anyone ... LMAO..

The threat isn't necessarily from hackers, it's from Apple. When an attack vector is found (it's been like 7 years? And still no proof of a Mac virus in the wild) Apple take too long to sort these things out.

The word that you're struggling to come up with ... is ARROGANCE.

This problem could have been solved a long time ago. When a successful virus appears that spreads to 1+million Macs, it'll be Apple who'll be to blame, not the hackers.

I disagree. It's a SHARED culpability.

Maybe Snow Leopard will be tighter than Leopard in this regard. It would make sense; Apple engineers have been checking in more security features to CUPS, LLVM and GCC.

Time will tell. But given Apple's lax treatment of security, I wouldn't hold my breath. Thu, 26 Jun 2008 17:21:00 GMT donotreply@osnews.com (tomcat) Comments RE: Where's the security vulnerability? http://osnews.com/thread?320255 http://osnews.com/thread?320255

So what is the security vulnerability? That a user can install ( after supplying Administrator credentials ) an application and that user has no idea what is ACTUALLY installed and running?

There's no nice way to say this, so, uhm... READ THE GODDAMN ARTICLE. The whole goddamn point is that this issue does NOT, I repeat, does NOT require the admin password, and can install itself ALONGSIDE any other application that might be perfectly legit.

GET IT? It's ALL in the article. Thu, 26 Jun 2008 17:22:00 GMT donotreply@osnews.com (Thom_Holwerda) Comments RE[2]: Where's more info? http://osnews.com/thread?320256 http://osnews.com/thread?320256 I think he/she means what are the steps one would have to take in order to be vulnerable. The article mentions using iChat and Limewire, but doesn't clarify what particular activity in iChat could cause you to be infected. Would simply talking to a friend do it? Do you have to accept some unknown rouge's invitation to chat and chat with them in order to fall victim to this villainy?

It seems obvious the ways Limewire could be used to infect your machine, but the iChat one isn't very revealing.

I agree with the original poster that while very detailed in some regards, the article is vague in others. Thu, 26 Jun 2008 17:23:00 GMT donotreply@osnews.com (Clinton) Comments RE[2]: Where's the security vulnerability? http://osnews.com/thread?320258 http://osnews.com/thread?320258 Modded your post down due to your inability to express your thoughts without resorting to swearing. Thu, 26 Jun 2008 17:41:00 GMT donotreply@osnews.com (OMRebel) Comments RE: Where's the security vulnerability? http://osnews.com/thread?320259 http://osnews.com/thread?320259

So what is the security vulnerability? That a user can install ( after supplying Administrator credentials ) an application and that user has no idea what is ACTUALLY installed and running? Isn't that true for ANY application? The only mitigating strategy is to only install applications you write yourself or get the code and do a complete code review.

No Administrator credentials are required. It uses a flaw in ARD that allows any user to initiate code as root. Thu, 26 Jun 2008 17:45:00 GMT donotreply@osnews.com (macUser) Comments RE[2]: Where's the security vulnerability? http://osnews.com/thread?320264 http://osnews.com/thread?320264 Modded your post up due to your inability to express your thoughts without resorting to swearing. Thu, 26 Jun 2008 19:06:00 GMT donotreply@osnews.com (beowuff) Comments RE[2]: Comment by Kroc http://osnews.com/thread?320271 http://osnews.com/thread?320271

"Mac OS X is secure.

Oh, if you say so, that should be good enough for anyone ... LMAO..

The threat isn't necessarily from hackers, it's from Apple. When an attack vector is found (it's been like 7 years? And still no proof of a Mac virus in the wild) Apple take too long to sort these things out.

The word that you're struggling to come up with ... is ARROGANCE.

This problem could have been solved a long time ago. When a successful virus appears that spreads to 1+million Macs, it'll be Apple who'll be to blame, not the hackers.

I disagree. It's a SHARED culpability.

Maybe Snow Leopard will be tighter than Leopard in this regard. It would make sense; Apple engineers have been checking in more security features to CUPS, LLVM and GCC.

Time will tell. But given Apple's lax treatment of security, I wouldn't hold my breath. "

Holy Ass-rape Batman.

http://www.debian.org/

I use it daily with Sid. The released version into Stable has quite a few vulnerabilities.

OS X gets a cold sore for security and they have a deplorable record.

Please.

OS X 10.5.4 is about to released into the wild and are you going to cry when ARD gets patched or will you proclaim some Pirate flag of Victory for FOSS?

What's that? You don't have a nearly $200 Billion corporation to manage?

Please.

I put this flaw squarely on the Systems Design Group who didn't do their job by being lazy with keeping this option available to save them the need to memorize a password.

This wasn't something Apple overlooked. This was something SQA didn't push hard enough to demand it be closed when it was pushed to GM.

This was some numbnut who requested the devs managing the application to add this in for ease of testing and the idiots didn't check before SQA cycles were signed off if that request had been closed. Thu, 26 Jun 2008 19:41:00 GMT donotreply@osnews.com (tyrione) Comments Apple, wake up, wake up! It's not a dream. http://osnews.com/thread?320273 http://osnews.com/thread?320273 Is anyone out there?

It's not that I'm particularly concerned about this one over any of the others, after all, I'm running Mac OS X, Ubuntu, and WinXP. They all have flaws. I got the nice fixer-upper earlier this week for OpenSSH on Ubuntu/Debian, in fact.

Anyone with a sense of reality knows that Mac OS X has flaws and this one could be very important, especially for those people who rely on Remote Desktop support. Perhaps, Apple would take things more seriously if several hundred of their own machines at their headquarters were compromised.

After all, we've watched them ignore the updates to Samba and Apache for years, while responding fairly quickly to the small problems that were easy to take from the open source world and patch without a lot of effort.

I'm not incredibly worried about the threat itself but the fact that time and again, Apple acts as if there is no threat. Thu, 26 Jun 2008 19:49:00 GMT donotreply@osnews.com (bousozoku) Comments RE: Apple, wake up, wake up! It's not a dream. http://osnews.com/thread?320277 http://osnews.com/thread?320277 Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago. Thu, 26 Jun 2008 20:09:00 GMT donotreply@osnews.com (MobyTurbo) Comments RE[2]: Apple, wake up, wake up! It's not a dream. http://osnews.com/thread?320297 http://osnews.com/thread?320297

Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago.

"Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago.

Yes, and then a few weeks later, they did it again.

Of course, how much bad press did they get between the time the problems were found and they fixed them? 1 year, 2 years? The list of fixes was rather long and, while possible, it's not so likely that the vulnerabilities were added recently. "

Yes it takes entirely too long for them to patch vulnerabilities. That's why I said "slightly". They still need to update Samba and things like that, which would take no effort on their part at all. Thu, 26 Jun 2008 22:16:00 GMT donotreply@osnews.com (MobyTurbo) Comments FUD http://osnews.com/thread?320302 http://osnews.com/thread?320302 This is a FUD story again...

Probably if you someone have an unpatched version of Leopard or a upgraded Tiger to Leopard may have the vulnerability.

However, on a vanilla Leopard Instal 10.5.3, here is what you get if you try to run the 'whoami' command using the so-called exploit:

An error of type -10810 has occurred. (-10810)

I've looked at a 10.5.2 install and same result... So this is plain fud...

If you are vulnerable, patch up to the latest and greatest or try that little command-line in the source article.

My 2 cents. Thu, 26 Jun 2008 22:27:00 GMT donotreply@osnews.com (shadow_x99) Comments RE[4]: Apple, wake up, wake up! It's not a dream. http://osnews.com/thread?320350 http://osnews.com/thread?320350

"[q]Apple has gotten slightly better about patching vulnerabilities, they did a good job of hardening Quicktime a couple of months ago.

Yes, and then a few weeks later, they did it again.

Of course, how much bad press did they get between the time the problems were found and they fixed them? 1 year, 2 years? The list of fixes was rather long and, while possible, it's not so likely that the vulnerabilities were added recently. "

Yes it takes entirely too long for them to patch vulnerabilities. That's why I said "slightly". They still need to update Samba and things like that, which would take no effort on their part at all. [/q]

Debian Sid needs to update Samba, but I have confidence that it will be once KDE 4.1 is released seeing as portions of it demand Samba 4.

However, seeing as Samba 3.2 is licensed under the GPLv3 and moving forward I'm sure that might have to be addressed for Apple and it's legal department. Fri, 27 Jun 2008 06:00:00 GMT donotreply@osnews.com (tyrione) Comments RE[5]: Apple, wake up, wake up! It's not a dream. http://osnews.com/thread?320371 http://osnews.com/thread?320371 Why do you need to upgrade when all you need is a security patch? Fri, 27 Jun 2008 08:38:00 GMT donotreply@osnews.com (netpython) Comments