On Thursday, antivirus firm F-Secure published a brief analysis of a proof-of-concept adware program for the Mac OS X that could theoretically hook into any application to run attacker-specified code. The program, dubbed IAdware by F-Secure, could be silently installed in a user’s account without requiring administrator rights. “We won’t disclose the exact technique used here – it’s a feature not a bug – but let’s just say that installing a System Library shouldn’t be allowed without prompting the user,” stated F-Secure in the blog post. “Especially as it only requires copy permissions.” My take: I’d say, hand over the code, then we’ll talk.
What’s all this sh*t coming from “security” firms and “antivirus” companies… they create proof-of-concept viruses that can’t spread and can’t run by themselves, then they talk of adware code without showing it to us which smells puff of smoke again. They are trying so hard to create a mac-userbase [buyerbase] that it doesn’t even seem funny anymore (and I’m not even a mac user so normally I wouldn’t even care, still).
What’s the point? That Mac OS isn’t perfect? That Apple coders actually make mistakes, like any other human in this freaking planet? Well, we already know that; there isn’t a single software application without flaws.
AFAIK, antyspiware apps come in handy when your OS has many major flaws, and this doesn’t seem to be the case. So, listen up mac users! Go *now* and buy some antispyware program, you must be protected from 3 or 4 vulnerabilities that no one actually uses! Meh.
Edited 2006-11-24 20:54
What’s with this windows “security” companies creating bullshit viruses and spyware for platforms that don’t have “legitimate” viruses and spyware?
It’s a scare tactic, it’s not a proof-of-concept. It’s to get old grannies and stupid PHBs to spend loads of cash on dummy code that doesn’t work.
Tinfoil hat time:
I wouldn’t be surprised that if in the next few years, we find real viruses (which won’t be effective like they are on windows) show up for Mac or Linux. They’ll be in the wild, and be developed by the fringe people who make them now, except we’ll have found out that they had been payed off by AV vendors to create this stuff in the first place.
They’re already close enough to a racket that it’s really not funny anymore, all they have left to do is get a “real” virus out in the wild so that they can offer “protection.” After that, I hope whoever is in charge brings a lot of these guys on Extortion and Racketeering charges. Then throw the book at them, hard. The business they’re venturing into with this kind of thing isn’t even remotely legitimate.
That’s how the security industry works, if there are no threats then they’re going make them up. It’s easy money.
And like l3v1, I’m not even an avid Mac user, I don’t use my Mac that often. But this is still absolutely freaking ridiculous.
If someone modifies a “proof-of-concept” code created by F-Secure or Secunia etc. to create a real threat. Can Apple take some action against(sue?) them for creating it in the first place?
Maybe if they were selling it under the table to people and refusing to show apple or say anything about it to apple. Otherwise I certainly hope not!
When a real malware app starts throwing popups on an OS X desktop like it can happen on windows then I’ll be interested.
Until then it looks like a few security companies tripping over themselves trying to create a new *market* to milk.
I wouldn’t buy McAffe’s or Norton’s product even if there was a real threat. They both produce the worst products possibly imaginable.
The really sad thing is that once upon a time both McAfee and Norton made really good products, before Symantec and Network Associates entered the picture.
I wonder if Ballmer would consider malware on OS X to be an unlicensed implementation of Microsoft’s intellectual property?
=:-o
‘Elsewhere’,
I am using your statement as my new signature line…
HA, HA!!!
Very funny!
Bill ‘MacGod’ Teeple
may be able to…
could happen…
supposedly…
in theory…
it might…
in the future…
maybe…
one could say…
its a possibility…
could occur…
See my point? Anyway, don’t these antivirus companies get enough business and make enough money from the Windows market already? The only threat to Mac users are these security companies who are so desperate to get something out that they will put as much pressure on us as they can to buy their software…
Edited 2006-11-24 22:39
What is worrying them is Microsoft getting their act together that the chances of infection for most users falls to the point that they can live without buying any anti-virus software.
These issues being announced only help Apple. It’s basically free bug hunting for Apple. The bugs are disclosed. Then, in a security update, Apple fixes them. People finding things like these just help OS X get more secure in the long run.
I find it odd that the only virus code that seems to get release for Linux/OS X only seems to come from anti-virus companies that have teams of programmers who have past experience with a wide range of virus codes/methods.
True in-the-wild virus code use to show up within a few months (even sooner) for not just Windows but most of the earlier micro-computer OSes. MacOS, AmigaOS, Atari TOS, whatever virus soon came out to follow.
However, the OS writers have learnt their lessons over the years and it is taking longer and longer to write a viable virus for modern OSes. Vista, Linux, OS X – all are a hard nut to crack if you want to write a virus that can spread.
So with no in-the-wild virus in sight, it looks like the anti-virus companies are priming the pump.
“My take: I’d say, hand over the code, then we’ll talk.”
F-Secure is a good team of people and the fact that they are not distributing this is a good thing. From what I can see, their intension is to help Apple secure OS X (and are probably talking with them on ways to do it) and not to sell a product. I wouldn’t consider this a worry, an advertisement, or anything other than something to help push forward with a more secure future.
uhm, about the “good team of people” I beg to differ, I know for a fact (i know 2 people who worked there in different departments, one in virus research and one in production) that that is not the case. Generally F-Secure is all about publicity. They have their front man Mikko and thats about it. Their Anti Spyware suite is the bought Adaware database and their AntiVirus is the Kaspersky database. Do they work with both companies, probably but they dont do much “in-house”. I wrote an article a couple of days ago about this subject. It is all about fear from the Anti-everything vendors. (on my blog http://blog.2blocksaway.com is the article if anyone cares to read it)
I don’t know the exact workings of the code discussed here, but it sounds to me a lot like a simple Input Manager getting installed. This is a very well known way to inject code into any Cocoa app. It only works within the current user and it has to be installed there by the user himself (although, yes this could be done secretly by an installer). It’s very easy to then launch the webbrowser or do anything else.
IF this is the way of attack that is meant here, there are surely no system libraries being changed. This would only be news if it actually were any other way of attack besides an Input Manager. I hope they’ll at least will disclose that it is or is not.
well well well another antivirus company making code to attack a platfrom in which they can milk more money from the user. Well i hate to tell you this but most of worlds best coders hackers tinkerers live in the world of unix/osx/linux andi hope the community unleashes everything they have in thier aresenal upon anyone who releases any of this code. They WILL be hunted down they WILL be found and they WILL pay!
Not me! I run OSX, BeOS, Zeta, OS/2, & Linux.
Who’s really afraid?… The AV Companies! Their free ride with Microsoft is coming to an end with MS’s own AV, and its panic city – big time! Then again, who knows? I look at Windows users this way… These are people who would buy a high performance car, and then buy gas that has water in it, but rather than go to a different brand of gas, they buy all kinds of filters to get rid of the water, even though none of the filters are 100% effective. They just keep buying those filters, hoping that one of them will be the miracle filter that does the job. The AV Companies are the guys selling those filters for “Microsoft” gas.
Reality is often pretty strange. Maybe those old “I’d rather fight than switch” commercials were a bit too effective.
“We won’t disclose the exact technique used here – it’s a feature not a bug – but let’s just say that installing a System Library shouldn’t be allowed without prompting the user
I’m not a fan of the “Teh AV companies have it in for OS X because it’s not the virus-riddled cash cow that Windows is” tinfoil hat brigade – but the above quote looks to me like they’re saying “We’re not saying how to do it… but here’s now to do it nudge nudge say-nah-more.”
…the hole has been there since the NeXTStep days and it’s one many applications use for non-nefarious means (including my own little beloved Afloat).
Apple is well aware of this. However, their policy is, if you run an application, you get all consequences of it running (although I must agree with the blog above that standard permissions are too lax on /Library). Their security efforts are focused on the front line, that is, in preventing applications or code from running without you knowing.
Also, recent 10.4 Intel builds (post 10.4.4) have features that prevent some of the holes from being used even by running apps (see mach_inject woes on Intel) unless an administrator gives his password.
This is pure FUD. Everyone know that OS X is the most secure OS ever, and is impervious to outside attacks.
Er, hold on, there’s nothing spectacular here. The same thing could be fairly trivially implemented on Linux, Solaris, or BSD by maliciously adding LD_PRELOAD settings to your .profile/.bashrc/whatever.
On the one hand, F-Secure say ‘installed to your user account’ and on the other they say ‘System Library’. Which is it, boys and girls?
I’m guessing it’s one of ~/Library/InputManagers, /Library/InputManagers, or /System/Library/InputManagers? Place bets now!
If a non-admin can write to /Library/InputManagers or /System/Library/InputManagers, then we perhaps have a problem, otherwise this whole thing is simply that a user can install a shared library in their own home directory and it be loaded automatically. Newsflash: most other UNIX-like systems that use shared libraries have the same functionality.