At first blush, the past two weeks have not been good for the image of Apple’s Mac OS X: Public descriptions of two worms and a trivial exploit for a serious software issue in the operating system appeared on the internet. However, the three programs are hardly a threat to systems running Mac OS X, according to security professionals. CNet covers the same topic.
Media has made the issues much larger than they really are..
But thats media.. Finally something “wrong” with Apple..
its true, everything appears larger than it really is. Also does not help that mac users try to create a super cool “we are so safe” OS. The truth is in the middle. OS X is very safe system compared to its biggest rival but its not perfect. We need that middle balance of be cautious with common sense.
The media is notoriously bad at reporting technical information. While I suspect that the fact that it was a vulerability in Mac OS X caused some additional hype, the media tends to over hype the severity of most worms it reports on.
These articles were IMO a fair treatment of the reported Mac OS X exploits. Essentially, they report that OS X users will most likely not suffer from these specific attacks. The articles further state that this should serve as a wake up call to Mac OS X users. Mac OS is not immune to malware attacks.
Although the three programs are hardly a threat to today’s systems, “[f]rom the security perspective, the vulnerabilities are quite severe.” The Safari exploit, for example, is just a proof of concept; however, there is nothing stopping a malicious developer from creating a more potent virus using the same exploit.
Thus, I don’t think it’s really fair to call these “academic.” The term “academic” implies that these exploits are largely theoretical, and that there is no real-world effect. But these exploits are not theoretical, it’s just that no one has taken advantage of them yet. If I may abuse an analogy, it’s akin to calling a broken (or easily pickable?) lock on your front door “academic.” Sure, no one has broken in yet, but you had better fix the lock quickly.
The issue is serious, in that these Proof of Concepts show that it’s feasable to write a worm in OS X, as well as compromise local user security. Where things get dicey is changing system level stuff.
The problem is that in many cases, Mac users would type in the admin password without thinking too hard about it because of complacency. Look at how many have the ‘run safe files’ option turned on, which is in my opinion a recipe for disaster, but let’s not go there.
These are important, and in my opinion, the Media should have been louder and harsher on the situation. It’s an excellent chance to send a loud ‘Wake Up’ to the entire Mac user base, that while the OS is better about security, it’s still vulnerable to human stupidity, eg, double clicking on an attachment that was unsolicited or from an untrusted party.
Human Error is still the biggest factor in the spread of Malware, Virii, and Worms.
As I understand, the Mail vulnerability is essentially a vulnerability in Apple’s ‘double-whatever’ message attachment format that allows the sender to specify the opening application in a resource-fork defined within said attachment. Mail thinks its getting a .jpeg ( based on the extension ) and goes to open/display it as a ‘safe’ file type, but the resource fork specifies ‘Terminal’ as the opening application so Mail proceeds to invoke bash to run whatever commands the attacker specifies.
‘non-root user’ notwithstanding, if you know anything about UNIX your skin is crawling right now.
Since most Mac user accounts have sudo privileges ( and believe that they are immune to viruses, spyware, etc. ) this is just a social engineering stunt away from ‘root’ privileges.
Even without getting the user to elevate privilages , this is about giving shell-scripting privilages in your user account to anyone that can send you email.
I cannot imagine how someone could consider this overblown or trivial.
I would amend the following line from your email
Even without getting the user to elevate privilages , this is about giving shell-scripting privilages in your user account to anyone that can send you email.
and append to that, and from whom you trust enough to stupidly double click anything they send you as an attachment unsolicitied.
I say this, becuase that remains the key issue. The user still has to take an action to initiate the problem, hence the issue remains, Human Error.
I say this, becuase that remains the key issue. The user still has to take an action to initiate the problem, hence the issue remains, Human Error.
If you can’t open a jpeg, what can you do?
I wouldn’t want to run an executable I received in my mail from someone I don’t know, but I wouldn’t think twice about opening a jpeg from someone I did know. Chances are, any worm is going to mine your address book, so you probably would receive something like this from someone you know.
Personally, I tend to be VERY suspicious of any attachment I recieve, for this very reason, *if* it’s something like a JPG, generally speaking, it’ll be displayed inline, and not require opening :-), this would be true in both Mail and Entourage.
In a discussion about this issue well over a year ago with John Gruber of Daring Fireball fame, I posited this very situation, and was told that it can’t happen, I disagreed then and I disagree now. I would even go so far as to say that for real damage, using an AppleScript instead of Terminal would have been far more invasive, as there are things that can be done with AS that could have in fact done what it appeared to do and done it’s thing without the alerts. The bug is serious, but I still maintain that the core issue remains human error.
That’s my real issue with all of this, both Windows and Mac (and even Linux, though it hasn’t been attacked like this, it could be as well, using the exact same ideas, social engineering, and hopefully the average linux user is smarter than double clicking a file named hardocrepr0n.avi.sh, but then again, I hear about all these linux users and thier mom’s using linux…)
The issue is not technical, it’s social. There isn’t a pervasive awareness of the tomfoolery going on out there. Phishing, Worms, etc all work on the social aspects much more than on technical aspects, because it’s cheaper, easier, and more efficient to pray on stupidity than to compromise the technology which simply keeps improving.
Edited 2006-02-27 21:45
hopefully the average linux user is smarter than double clicking a file named hardocrepr0n.avi.sh, but then again, I hear about all these linux users and thier mom’s using linux…
I don’t know about you, but I don’t think my mom would double-click on a file named “hardcorepr0n”…well, at least I hope she wouldn’t! (shudders)
I don’t know about you, but I don’t think my mom would double-click on a file named “hardcorepr0n”…well, at least I hope she wouldn’t! (shudders)
I hate to break it to you … but she did. What the heck, she was curious…
Yawn, wake me up when first OS X worm will be out there, in the wild
Before that, all these speaches from Windows loving crowd about how Mac overestemates their security is plainly boring. Yes, Mac is overhyped. Yes, They have their momentum now and everybody would like to hype any negative information about them. So what? Apple will provide a patch, OS X will launch Software Update automaticly sometime soon and will provide dialog with simple ‘Update’ button. Yeah, let’s not compare it with overblown difficult update (yes, difficult) for Windows XP.
On the topic – some of the mentioned security bugs (not holes) for OS X are quite serious, but they won’t/can’t work because of different obstacles in which OS X are deployed. It won’t simply spread, period. And it is not only of marketshare, but also that OS X is better prepeared for security in overall system level.
People have been assuming that, because the proof-of-concepts required an admin password to access root functionality, that this isn’t serious. That’s really wrong.
These vulnerabilties can be combined with kernel-level exploits (see below) in order to bypass the necessity for specifying a root password.
http://secunia.com/advisories/9535
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0023.html
http://www.virusthreatcenter.com/article.aspx?articleId=333
Sure, these issues have been patched already. But, first, keep in mind that not everybody updates their systems on a regular basis (one of the reasons that Windows has had many problems). Just because a patch is issued doesn’t mean that everybody is going to install it — so there are plenty of vulnerable boxes out there. Second, even if this weren’t the case, I don’t think many security pros are stupid enough to assume there AREN’T kernel-level exploits still hiding in the OS X source code, just waiting to be found. It’s just a matter of time and effort.
So, really, don’t count on user interactivity to save your asses. It just won’t cut it when the hackers really decide to take aim at your boxes.
I have maintained for the 2 1/2 years I have used a Mac that the users are too complacent about security. The time to learn about security is before you have a real problem and not afterwards. I will say that it has been my experience that most OS X users do use the auto update feature. This is one area where Windows is finally catching up starting with XP.
None of these issues would have been able to affect my system because I came from a Windows world where being proactive was a necessity and had previously dealt with the issues. The main point I want to make is that Mac users are no more immune from Social Engineering that are most Windows users. The latest happenings will be a good thing if it makes users more security conscious.
I’m trying to figure what “good thing” these ‘threat’ articles are trying to accomplish. And who is it is good for? The AV companies trying to enhance their marketshare across platforms? Or the users?
Anybody remember the worm on Windows that spread through an e-mail message that wasn’t a program or script at all? Essentially it alarmed the unsuspecting user to delete a critical system file from their C:WINDOWSSYSTEM32 folder and reboot their machine. I’m sure you can figure out the result.
Was that really a security flaw in Windows, or was it USER ignorance? And really how can you PATCH your operating system from such ignorance? These Academic worms only exploit USER ignorance, not a security flaw in the operating system.
When you run Windows XP as an administrator, it is the same as logging into a Unix system as root. That ALONE is absurd from a security standpoint. When you are logged in as an administrator on OS X, you are not root still. You are just allowed to launch system-changing applications/documents–and you are still required to enter a password (akin to the RunAs service on WinXP).
This is a real worm:
W32.Bugbear@mm is a mass-mailing worm. It can also spread through network shares. It has keystroke-logging and backdoor capabilities. The worm also attempts to terminate the processes of various antivirus and firewall programs.
I’ve had a similar worm on my XP system. I clicked on a suspicious file downloaded from a P2P program which turned out to be a Trojan.downloader. Before 60 seconds had passed this downloader pulled down Adbars, a keystroke logger, some firewall program, and many other malware programs that infected my system and undermined my highly heralded AV/Spyware software. I watched as my protection failed miserably to stop the trojan.
Was it XP’s fault that this happened? Nope. This was all on me because I was an administrator on this system and I should have known better.
So, in essence, how are these AV companies (Sophos and others) going to account for this? Simply saying ‘you are complacent’ won’t cut it.
…that academic threats has this nasty habit of occuring in the wild sooner or later.
The shell script masquerading as a jpeg is indeed a bug that needs fixing, but I think it is important to remember that the OS can only do so much.
Adding layers of “Are you sure … ?” dialogs for every possibly risky action is not the solution, since that will get people used to clicking “Yes” every time.
Remember the old “honor system” email virus? The one that said “Please email me to everyone on your contact list”?
Well, even if an OS achieved perfect security, it will still be vulnerable to trojans working on that very same principle: they don’t send themselves to everyone taking advantage of any system/email app/instant messaging app vulnerabilities, nor do they use any privilege escalation exploits -they just masquerade as something most users would willingly share with their friends.
Such application will be limited to whatever permissions the user account has, but unless the user can’t do much at all, that usually means a lot of power.