Apple Response to Trojan Warning

[MacRumors]

MacCentral posts Apple's response to yesterday's Trojan warning from Intego.

According to the statement, Apple is investigating the issue:

Quote:

We are aware of the potential issue identified by Intego and are working proactively to investigate it

[JrbM689]

I hope Apple starts collaborating with the Open Source community to fight trojans and viruses... If they don't, we could be almost as bad off as Windows users.

[JohnGillilan]

Mac OS X Security Update 2004-04-10 . . .

Wait for it . . . Wait for it . . . . . Wait for it . . .

[evolu]

apple is rad.

[wPod]

i am not too worried, apple will get it fixed in time. i always feel safe knowing that hackers are more likely to attack 95% of computers instead of 3%. . . though the first person to do it would probably get pretty high recognition. . . not good recognition though. but mac users are also smarter and more careful than M$ users. . . right?!

[Darwin]

Glad Apple is on the case

This should encourage us that Apple does take these things seriously

[jxyama]

patch should be easy in theory. apple just has to make finder behave consistently - if it displays a file as one type, it should act on it as that type when double-clicked. (this used to not be a problem when finder didn't depend on extensions to figure out what the file type icon to display.)

[JohnGillilan]

Wait a second . . . maybe it's just me, but does it seem weird that Apple would give a statement to MacCentral???? That's seems odd. Wouldn't it be on their website in the support section or in a press release? Could this "statement" have been made up??

[ultimind]

Atleast Apple, unlike Microsoft issues regular security updates to it's operating system. Microsoft would have to issue security updates multiple times in a 24 hour period to keep up though. I'm betting Apple will put out a security update to deal with this...

[Rower_CPU]

Quote:

Originally Posted by JohnGillilan

Wait a second . . . maybe it's just me, but does it seem weird that Apple would give a statement to MacCentral???? That's seems odd. Wouldn't it be on their website in the support section or in a press release? Could this "statement" have been made up??

It's a general press release. The same statement can be found on other sites:
http://www.infoworld.com/article/04/...gowarns_1.html

[Photorun]

Maybe it's just me but what's the friggin' big deal here? No really?! I mean, a file that's executable on ANY computer system, be that a peecee craptacularbox or a Mac running OS X, OS 9, or hell, even Linux that is launched by a dummy without thought to where it came from can be launched and harm caused. Why is this a big deal at all? I'm lost? And OS X is still one of the most solid systems but any system, if someone launches something to attack it FROM it, I mean, so what? That's been the way I think all the way back to Basic and DOS. Go back, there's nothing to see here or better yet, just don't believe the hype!

[msconvert]

Quote:

Originally Posted by ultimind

Atleast Apple, unlike Microsoft issues regular security updates to it's operating system. Microsoft would have to issue security updates multiple times in a 24 hour period to keep up though. I'm betting Apple will put out a security update to deal with this...

But I don't want apple just coming out with a quick M$ cludge of a fix. Right now we have to be on edge not paranoid. My real fear is that this is the way finder and iTunes are intended to work for compatibility of MacOS and PC files. I suspect that it will be a significant change when it comes. I just want it done right.

[animefan_1]

Quote:

Originally Posted by JohnGillilan

Wait a second . . . maybe it's just me, but does it seem weird that Apple would give a statement to MacCentral???? That's seems odd. Wouldn't it be on their website in the support section or in a press release? Could this "statement" have been made up??

No. Apple has given MacCentral (MacWorld's news arm) statements plenty of times before, while NOT posting the same info on their own website.

Besides, isn't it against the law to say someone said something, even though they didn't?

[Rincewind42]

Quote:

Originally Posted by JohnGillilan

Mac OS X Security Update 2004-04-10 . . .

Wait for it . . . Wait for it . . . . . Wait for it . . .

Don't bet on it.

Quote:

Originally Posted by jxyama

patch should be easy in theory. apple just has to make finder behave consistently - if it displays a file as one type, it should act on it as that type when double-clicked. (this used to not be a problem when finder didn't depend on extensions to figure out what the file type icon to display.)

The Finder is behaving consistantly. The icon doesn't come from the Finder, but from the application itself. The application itself launches iTunes to play itself as if it were an mp3, so it looks flawless. This really isn't something that can be blanket fixed because there may be legitimate applications that do some of the same things. The proof-of-concept trojan is only given away by the fact that the Finder blatantly says the file is an application (or classic application if you strip the resource fork).

Fortunately this trojan is also extremely fragile, if the resource fork isn't preserved, the application can't even launch. They could try to do it with a standard bundled application, but they would also have to compress/encode it to send it to anyone, and couldn't use the normally invisible .app extension (because two extensions are always shown by OS X).

[jxyama]

Quote:

Originally Posted by Photorun

Maybe it's just me but what's the friggin' big deal here? No really?! I mean, a file that's executable on ANY computer system, be that a peecee craptacularbox or a Mac running OS X, OS 9, or hell, even Linux that is launched by a dummy without thought to where it came from can be launched and harm caused. Why is this a big deal at all? I'm lost? And OS X is still one of the most solid systems but any system, if someone launches something to attack it FROM it, I mean, so what? That's been the way I think all the way back to Basic and DOS. Go back, there's nothing to see here or better yet, just don't believe the hype!

what you are saying is mostly true, but this is newsworthy just for the fact it's a confirmed vulnerbility in OS X/Finder that can be exploited by a trojan. it may seem like a hype to you, but it is definitely newsworthy.

being in the news doesn't make OS X any less "solid" and not being in the news doesn't make this problem go away.

[3-22]

Quote:

Originally Posted by ultimind

Atleast Apple, unlike Microsoft issues regular security updates to it's operating system. Microsoft would have to issue security updates multiple times in a 24 hour period to keep up though. I'm betting Apple will put out a security update to deal with this...

Microsoft issues both regular security updates and out-of-cycle updates. What are you talking about?

True, it's not nearly fast enough for the amount of attacks. Not that admins could easily deploy to thousands of PCs any faster in a company.

[MongoTheGeek]

From the sound of these comments it seems that the trojan only affects machines that run 10 and have classic available?

That means that once classic goes away this won't be a threat?

Since classic is no longer a standard install this is a much smaller threat than it seems?

[Foocha]

Quote:

Originally Posted by Photorun

Maybe it's just me but what's the friggin' big deal here? No really?! I mean, a file that's executable on ANY computer system, be that a peecee craptacularbox or a Mac running OS X, OS 9, or hell, even Linux that is launched by a dummy without thought to where it came from can be launched and harm caused. Why is this a big deal at all? I'm lost? And OS X is still one of the most solid systems but any system, if someone launches something to attack it FROM it, I mean, so what? That's been the way I think all the way back to Basic and DOS. Go back, there's nothing to see here or better yet, just don't believe the hype!

I think the issue is that the Finder misrepresents the file as an MP3 when in fact it's an executable. The problem arises from Mac OS X's halfway-house between OS 9 style File Type & Creator Codes and OS X style document extensions.

With Windows and Linux it's clearer what is executable and what's not. Since OS X has to provide backwards compatibility to OS 9, this one may be tricky for Apple to solve.

[peterjhill]

Did you all see this from the article:

Quote:

Late Thursday night, Symantec Corp. said they were also aware of the Trojan, but noted that the virus has not been found in the "wild."

[musicpyrite]

Quote:

Originally Posted by Macrumors

MacCentral posts Apple's response to yesterday's Trojan warning from Intego.

According to the statement, Apple is investigating the issue:

At least Apple is willing to acccept the fact the there could be a trojan and are going to try to investigate, unlike M$, they just deny it or give excuses.....

[applekid]

Quote:

Originally Posted by peterjhill

Did you all see this from the article:

Quote:

Exactly what I was about to mention. It really isn't a big deal, but since the problem basically is a security hole in iTunes (that didn't exist in iTunes 3 according to the last message in this Google thread. ) that seems very fixable.

[0 and A ai]

They have yet to say if anything malicious can come of this PROOF OF CONECEPT TROJAN.

And as symantec said its not out in the wild.

If its bad apple will fix it. If its nothing then intego has got problems coming there way.

[Jookbox]

ahh, so that's what the security update was for. that was quick and easy.

[cait-sith]

remember that macos is unix, and unix has trojans.

there's lots of trojans for unix that exploit the fact that you may have "." in your path, so put a file called "ls" in your path that does some nasty stuff then runs the real "ls" command, plunk it in the home dir of some user, and woosh. if it happens to root, you're screwed. but unix admins know that trick all too well and it's a known fact NEVER to put . in your path.

the problem here, is that many apple users have no experience with unix (most mac users i know were stunned to see me open up 'terminal', they had no idea what it was). so a lot of the old unix tricks might pop up. rm -rf anyone?

this says nothing about macos really, it's just the nature of computers and operating systems, as well as people having accounts that allow administrator access. one unix rule is don't log in as root unless you have to.

i can imagine mac people cringing thinking 'this is the end', but unix variants have faced this stuff for over 30 years and they're still considered rock solid and low risk.

[killmoms]

Quote:

Originally Posted by jxyama

patch should be easy in theory. apple just has to make finder behave consistently - if it displays a file as one type, it should act on it as that type when double-clicked. (this used to not be a problem when finder didn't depend on extensions to figure out what the file type icon to display.)

OS X still has a filetyping scheme that is less than stellar; I hate that the Creator App is still the default behavior in OS X. BeOS stands as having both the best filesystem and filetyping setup that I've seen yet. I'm hoping Apple rips it off for 10.4 or 10.5.

Basically, BeOS would use MIME types to identify files, for instance if they were downloaded from the web. If there was no MIME type already defined, it would look at extension and associate it that way. If there was no extension, it would actually read the first bit of the file and see if that would allow it to determine what type of file it was looking at.

If Apple would do that, with the "Created by" field in there someplace in the hierarchy, maybe even make the hierarchy user-definable, I'd be in heaven.

Well, once that was married to a new version of HFS w/ always-on indexing, extensible (and indexed!) meta-data, and real-time queries of an incredibly configurable nature. 10.3 is a step in the right direction, but there's some underlying devices that need to appear first.

--Cless