If you visit today the Infosecsellout blog, you will see a blog entry announcing a new Apple Mac OS X vulnerability and a link to the SecurityFocus web site.
There is no detail, but the title suggests that a Mac worm could be created by using that vulnerability. Also there is no mention of the author.
As we were researching this announcement we soon discovered that more accurate and interesting information was originally posted–but rapidly removed–on that blog. If you visited it on Sunday, you were able to read a note from the man who claims to be the worm author. His motivations were clearly visible: “I wrote this for my own purposes and it will be demonstrated to those who asked me to engage in this work. Yes, I am being compensated for this”.
In this blog entry, the possible author gives some details about its proof of concept, which could be easily changed to be more malicious.
He said his code uses a non patched variation of the MDNSResponder vulnerability recently fixed by Apple. According to this guy, the worm gives remote root access, compromises its first system, places a text file on the desktop and moves on to attempting to compromise other systems on the same network.
This story prove both things: the first is that Macintosh with Intel is an interesting target. Real outbreaks are more than ever possible. The second is that the lure of money motivates many people more or less scrupulous. It is another cause for concern.
July 18th, 2007 at 6:12 am
Prove it. Thought so. More BS.
July 18th, 2007 at 6:42 am
I wonder who is paying him to write a worm for Mac OS X and what part of Redmond WA he/she lives in.
July 18th, 2007 at 6:59 am
didn’t take long for the first Apple fanboi to deny it.
July 18th, 2007 at 7:01 am
So,
What is being said here is that you trawl Apple’s updates for fixed vulnerabilities and then go back to a previous version to release a “bug”?
This makes virus writing rather easy in that you look to see what is fixed and then develop something around what has been fixed and then say Apple is vulnerable in all versions leading up to the fix.
Stupid
July 18th, 2007 at 7:29 am
This ‘proves’ nothing, because he hasn’t released the code. It’s probably just bitter old David Maynorr again, flaunting his usual BS.
July 18th, 2007 at 7:31 am
It’s already patched. Run Software Update, and you won’t be vulnerable. This is a non-issue.
July 18th, 2007 at 7:42 am
The blog referenced proves that the notion of an exploit by an anonymous person is taken as fact without any demonstration or identification of how.
Should we accept as fact that the blogger also lives on the moon and build his own spaceship to get there?
July 18th, 2007 at 8:00 am
You and I and everyone else can say anything! The proof “My Dear Watson” is in the pudding!
July 18th, 2007 at 8:37 am
This isn’t a “worm” for OSX, it’s just a guy with a BLOG wanting attention. Worms cannot spread on OSX, it’s technically impossible because of LaunchD.
That’s also why there are currently NO Viruses for OSX, and never have been since it’s impossible for them to spread from ONE Mac to ANOTHER without user intervention.
Get over it McAfee, there will never been any payment to your company for “protection”. Apple does all the security IN THE OS… it doesn’t rely on 3rd party leeches (norton, yourself, etc) like Microsoft forces their users to do…
Regards, OS11
-
July 18th, 2007 at 9:33 am
I have no doubt that the Mac OS is vulnerable. But it can be managed. Already there are places (Ars Technica, for example) that explain how to deal with the exploit (turn off Bonjour at the command line). Just as in the Windows community, the Mac community has some smart folks who tinker around and figure stuff out. The exploit does not sound like a real “internet” threat, but all the same, an honest researcher would publish to the security community, and the manufacturer. Mac OS 10.5 (Leopard) promises “sand-boxing” which should help with this particular problem.
July 18th, 2007 at 10:02 am
A letter written in all capital letters is understood to be an acronym.
In the context of computers,
MAC = Media Access Control. A MAC address is a (somewhat) unique identifier given to any device that has a network interface. http://en.wikipedia.org/wiki/MAC_address
If you are talking about the computer platform controlled by Apple, then it is written Mac. This was done correctly in the first paragraph of this article, but in the second paragraph, there is the nonsensical statement, “There is no detail, but the title suggests that a Media Access Control worm could be created…”
As you can clearly not create a Media Access Control worm, this should be written as “Mac”.
July 18th, 2007 at 10:39 am
“Macintosh with Intel is an interesting target.”
You lost me there. If this is a genuine claim, then presumably the blogger’s claim that he’s writing a version for the PPC architecture is true as well. IOW, if there is a worm, or something like one, it doesn’t target anything peculiar to Intel chips.
http://www.beskerming.com/commentary/2007/07/18/222/A_Worm_for_Your_Apple
However, I enjoyed the quotes. My favourite was “there are [sic] no such thing as [sic] full-proof [sic] system”. Can someone tell this semi-literate thug that the term is “fool-proof” and he’s supplying the “fool” himself in this piece of histrionics?
July 18th, 2007 at 11:56 am
Other reports are that this same author has made similar claims in the past and refused to substantiate any of those claims.
And no worm came from that either.
July 18th, 2007 at 12:47 pm
The interesting thing to me is the psychology of these so-called hackers who are so desperate to prove the Mac is vulnerable that they keep crying wolf. They are having the opposite effect to what they’re trying to do. When you hear about a “worm” that exploits something that has already been patched by the easy-to-use Software Update system that gives the user confidence. When the MOAB folks, who are to computer security as Rush Limbaugh is to journalism, can only crash a Mac and then go on to find a few bugs in third party apps it gives a nice warm feeling.
The fact is that network security is 30 years old and Apple’s system does the right things with user accounts and software updates so that is why they’ve had success. Windows is wel known to have architectural flaws that can be exploited and lacks basic security features from a decade ago, and that is why Microsoft has been unable to secure it. It runs professional malware like a pro.
July 18th, 2007 at 12:57 pm
Even if this is functional, it will only propagation to computers on the same subnet (As far as I am able to tell, anyway).
It writes a file to the Desktop? Well, that isn’t particularly difficult–it
could be done with AppleScript, if you could convince the user to run the script.
And there’s the rub: barring an exploit to escalate privileges, you’d have to convince the user to run a script or application AND do so with administrators privileges to “Bot the Mac” in the same way that PCs are have been botted over and over again.
The point isn’t that Macs are invulnerable, or that Mac users should
be scolded as children and talked down to about security. The point is that Macs are not quite the same “house of cards” (*especially* in security terms) that PCs have historically been.
July 18th, 2007 at 4:18 pm
You said, “This story prove both things…”
I’m going to have to agree with Matasano on your first wrong assumption.
In regards to your second incorrect assumption, infosecsellout does live in a relatively liberal US city that is not in WA; and works for a legitimate (in all ways) UK company, although I’m certain you’ll never guess the right one.
July 18th, 2007 at 7:42 pm
Worm: “any of a number of creeping or burrowing invertebrate animals with long, slender, soft bodies and no limbs.”
Any similarity to worm writers?
July 18th, 2007 at 11:07 pm
Interesting… seems now some guys are taking interest in breaking MAC. I am eager to see some sort of exploit code being published.
Hope this guy is not kidding around
July 19th, 2007 at 11:44 am
I can to some degree understand the hackers who search for holes in security code to make some sort of profit, but these hackers who think that finding and exploiting flaws in an OS raises them to some sort of deity level within the programming community just pisses me off. I mean really, aside from those in the development and security community, who else really gives a crap if this guy found an exploit? Some unbathed nerd living in his parents basement who searches the web for other bottom feeders who shares his passion for Tron collectables and can reverse engineer code? These hackers need to put their computer skills to good use and start patching XP and OSX…they’d be in a far better position to navigate that skill into a high paying job and earn themselves the respect of other PC users and nerds!
July 19th, 2007 at 2:07 pm
Mac user since 1988, OSX since version 10.2 (5 years)
Don’t have any viruses yet, don’t use any virus software. And don’t tell me I must have hidden viruses, spyware etc. I know better.
24 million copies of OSX out there, but the most dangerous time is early in the life of an operating system, not when it has been out there for 5 years. Vista, virus in first 8500 copies.
Could it happen: Yes, but less likely now, not more.
Am I really worried? NO
July 20th, 2007 at 12:33 pm
“Real outbreaks are more than ever possible.”
That sounds like a virus company’s motto. Should every mac user now buy antivirus software?
That aside, the strange part of his threat is: He doesn’t have access to a PPC Mac? You mean the kind you can get for less than $100?