Linked by Amjith Ramanujam on Thu 24th Jul 2008 18:01 UTC, submitted by Ward D
Bugs & Viruses Mac Antivirus developer Intego might have stumbled across an OS X specific virus being offered for auction that targets a previously unknown ZIP archive vulnerability. From Intego's posting, it appears that an enterprising auctioneer seems determined to make sure that his name is one that is not forgotten when it comes to Apple security, claiming that his exploit is a poisoned ZIP archive that will "KO the system and Hard Drive" when unarchived.
Thread beginning with comment 324392
To read all comments associated with this story, please click here.
Hardly likely
by Buck on Thu 24th Jul 2008 19:46 UTC
Buck
Member since:
2005-06-29

That is hardly likely. A vulnerability in zip-whatever (e.g. bomarchivehelper) won't lead to control of the system. I can't think of anything that would require a zip decompressor on the system to run with root privileges, nor is it suid root, so given that the only thing an attacker can gain using that vector is a shell access with the rights of the currently logged in user. Not a small thing by any means, but hardly the system KO being promised.

PS. Also that wouldn't technically be a 'virus' being just an exploit for a certain vulnerability.

Edited 2008-07-24 19:55 UTC

Reply Score: 7

RE: Hardly likely
by tomcat on Fri 25th Jul 2008 00:10 in reply to "Hardly likely"
tomcat Member since:
2006-01-06

That is hardly likely. A vulnerability in zip-whatever (e.g. bomarchivehelper) won't lead to control of the system.


HTF can you conclude that? You don't have any idea where the ZIP decompression is called from. If it's running in privileged code, then you DO have a problem that can lead to control of the system.

Reply Parent Score: 2

RE[2]: Hardly likely
by SReilly on Fri 25th Jul 2008 16:00 in reply to "RE: Hardly likely"
SReilly Member since:
2006-12-28

HTF can you conclude that? You don't have any idea where the ZIP decompression is called from. If it's running in privileged code, then you DO have a problem that can lead to control of the system.

Where the f*** have you ever seen a decompression utility running privileged code? Oh, I forgot, you come from a windows centric world.

Try a real platform some time ;-P

Reply Parent Score: 1

RE: Hardly likely
by looncraz on Fri 25th Jul 2008 06:30 in reply to "Hardly likely"
looncraz Member since:
2005-07-24

Imagine if you will:

1. Create trojan application which acquires root privilege because the user is not suspicious.

2. Use elevated status to integrate virus with the system as tightly as possible.

3. Read e-mail addresses from the address book, and hack the e-mail program to automatically attach the trojan.

4. Wait for one hour, giving the user a chance to forget the last thin they did on the computer.

5. Ensure the next time a browser is lauched, it crashes.

6. Give the three-finger solute to the boot sector and partition table, zap holes on the cylinder boundaries.

7. Enjoy the ensuing chaos.


Naturally, though, while it is possible to do the above, these kinds of infections have problems spreading. They are devastating and draw much attention - the author will likely be caught and punished.

This is one of the real reasons why these types of infections have nearly vanished. Another big reason is that those with the know-how have discovered that they could avoid their risks and make money with ad&spy-ware - sorta mostly legally [ ;-) ].

Of course, the above steps really require knowledge of multiple issues, but only one exploit ( obtaining root ), which can be very easy thanks to general complacency in the Apple community of users.

--The loon

P.S. I run BeOS, it would be pretty easy to do my machine in - write a script which simply states rm -rf /boot/ and call it some app on BeBits :-)

Reply Parent Score: 2

RE[2]: Hardly likely
by Earl C Pottinger on Fri 25th Jul 2008 14:50 in reply to "RE: Hardly likely"
Earl C Pottinger Member since:
2008-07-12

Sorry, takes me 15 seconds to reboot of my backup partition which is normally is not mounted so it can't be touched without my noticing.

Additionally, about 95% of my data found on my /boot drive are infact links to other partitions and rm does not follow links off the partition it is working on.

Is there an option for that?

Reply Parent Score: 1

RE: Hardly likely
by Soulbender on Fri 25th Jul 2008 11:58 in reply to "Hardly likely"
Soulbender Member since:
2005-08-18

The point of using an exploit is that you DO NOT need to be root in order to get privileged access.

Edited 2008-07-25 12:00 UTC

Reply Parent Score: 2