Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Response to Trojan Warning

The update to this story posted basically backs what I said... don't believe the hype. Move along, nothing to see here.
 
MongoTheGeek said:
From the sound of these comments it seems that the trojan only affects machines that run 10 and have classic available?

That means that once classic goes away this won't be a threat?

Since classic is no longer a standard install this is a much smaller threat than it seems?
Click to expand...

No, the application is Carbon, meaning it runs on both Mac OS X and Mac OS 9, as opposed to Classic, which runs on Mac OS 9 and is emulated on Mac OS X. I'm not sure if it's actually written to run properly on Mac OS 9, but it was written as Carbon so that it could use a resource fork. Having Classic installed has nothing to do with it.
 
applekid said:
Exactly what I was about to mention. It really isn't a big deal, but since the problem basically is a security hole in iTunes (that didn't exist in iTunes 3 according to the last message in this Google thread. ) that seems very fixable.
Click to expand...

This is not a security problem with itunes. I'm as avid a mac user as any but people seem personally offended if a vulnerability of mac OS is revealed. This is a vulnerabilty of the OS itself. It is also different from just mislabelling a file or changing the extensions of a file as some users are suggesting. Don't believe me?. Change the extension of some windows exe to mp3 and then try to open it in windows media and see what happens. It does not play. This hack is clever because not only is the extension mp3 but it really is an mp3 to itunes and also an application to the OS. This of this as a file existing in two states simultaneously. Is it a big deal? maybe not but half of the window trogans are no big deal but mac users are quick to pounce on microsoft at the smallest vulerability. Mac users skepticism are further compounded if microsoft then says that the vulerability is no big deal. Hey, the shoe is on our foot. It does us no good to bury our head in the sand.
 
Trojan Horse?

If I write an application (*.app or *.exe) that deletes your files, then I make the icon look like an MS Word file, is that a Trojan horse?
 
byamabe said:
If I write an application (*.app or *.exe) that deletes your files, then I make the icon look like an MS Word file, is that a Trojan horse?
Click to expand...

So what if it is?. There are many ways to write a trojan. What is your question proving?. Your scenario is not similiar to what is happening with this particular trojan. Would you then be able to go into word and open your file as a word file?. Obviously not!!. What is clever about this hack is not only that the file appear to be mp3, but it can actually be played in itunes and behaves as an mp3. I'd like to see an exe file behave as a word file. Behaviour is more than just having an icon.
 
wnurse said:
Behaviour is more than just having an icon.
Click to expand...
Yes, the behavior of having your files wiped is the more important issue. Whether the trojan horse actually opens word is irrelevant. I got you to click the app and wipe your files. Are you still concerned that Word didn't open. Maybe you'll double click to try to open it again :)
 
byamabe said:
Yes, the behavior of having your files wiped is the more important issue. Whether the trojan horse actually opens word is irrelevant. I got you to click the app and wipe your files. Are you still concerned that Word didn't open. Maybe you'll double click to try to open it again :)
Click to expand...

Of course it is, who is arguing that?. I thought we were arguing the uniqueness of the trojan approach. Strange, for years mac users boasted about not having trojans or virus and now we are told this is old news and really not a clever hack? Huh? Maybe i should just go back to windows then. I mean, what's the point, why put up with a platform with less applications, higher hardware cost if it too can be just as easily effected as a windows machine? The mac is cool but so what? Money is cooler. If i can buy a machine for less money, i'd definetly feel a lot cooler that the other guy spending more cash to get a mac and having less money.
 
wnurse said:
Of course it is, who is arguing that?. I thought we were arguing the uniqueness of the trojan approach. Strange, for years mac users boasted about not having trojans or virus and now we are told this is old news and really not a clever hack? Huh? Maybe i should just go back to windows then. I mean, what's the point, why put up with a platform with less applications, higher hardware cost if it too can be just as easily effected as a windows machine? The mac is cool but so what? Money is cooler. If i can buy a machine for less money, i'd definetly feel a lot cooler that the other guy spending more cash to get a mac and having less money.
Click to expand...

Go back to Windows then... Is anyone stopping you? You actually tried to make that read as if the 'Mac Crowd' would give a flying **** what platform you choose.

People like windows, people like OSX. Take your pick. Who ****in' cares what you do...
 
Foocha said:
I think the issue is that the Finder misrepresents the file as an MP3 when in fact it's an executable. The problem arises from Mac OS X's halfway-house between OS 9 style File Type & Creator Codes and OS X style document extensions.

With Windows and Linux it's clearer what is executable and what's not. Since OS X has to provide backwards compatibility to OS 9, this one may be tricky for Apple to solve.
Click to expand...

The Finder is NOT misrepresenting the file. Not one bit. The file is misrepresenting itself. This is only possible because Mac OS X allows applications that are built as a single file (Carbon/CFM or Classic/CFM with resource fork). A similar exploit is possible on Windows (although a Windows mp3 player may be less willing to play the file).

The only reason why this application even passes the 'double-click' test is because the icon looks like that of an iTunes MP3 file. You can just as easily create a Word document, a PDF file, or a shell script that looks like an MP3 file by just copying and pasting in the Finder in under a minute. The only difference is that it won't be recognized as an MP3 by iTunes (which the Trojan is only because of a little CFM hackery). And just like this trojan if you transfer it in a method that doesn't preserve the resource fork it is neutered. Given that most users have extensions hidden (because that is the default in the Finder) most users wouldn't be able to tell the difference between any kind of document if the icon looks like an mp3.

So really, this isn't an issue of the Finder, the Finder does it's job exactly as it should (it displays the icon the application says to use, and identifies the file as an application).

wnurse said:
This is a vulnerabilty of the OS itself. It is also different from just mislabelling a file or changing the extensions of a file as some users are suggesting. Don't believe me?. Change the extension of some windows exe to mp3 and then try to open it in windows media and see what happens. It does not play. This hack is clever because not only is the extension mp3 but it really is an mp3 to itunes and also an application to the OS. This of this as a file existing in two states simultaneously. Is it a big deal? maybe not but half of the window trogans are no big deal but mac users are quick to pounce on microsoft at the smallest vulerability. Mac users skepticism are further compounded if microsoft then says that the vulerability is no big deal. Hey, the shoe is on our foot. It does us no good to bury our head in the sand.
Click to expand...

There is no vulnerability here. At least, not one that is generally plausible. And remember that in Windows the default is to hide extensions also. Create a Windows executable with a Winamp MP3 icon on it and you'll get any number of users to double click on it hoping to listen to the latest Top 10 hit. And bang your dead. The difference here is that on Mac OS X it's a heck of a lot easier to get an application that is actually recognized as an mp3 by iTunes (because of a feature of the CFM format). That particular quirk is the only thing that actually makes this trojan interesting, because by the time that happens the user has already double-clicked the file and the trojan writer has won. The fact that the user gets to listen to their favorite song while their computer is getting owned is just a nifty side effect.
 
wnurse said:
Of course it is, who is arguing that?. I thought we were arguing the uniqueness of the trojan approach. Strange, for years mac users boasted about not having trojans or virus and now we are told this is old news and really not a clever hack? Huh? Maybe i should just go back to windows then. I mean, what's the point, why put up with a platform with less applications, higher hardware cost if it too can be just as easily effected as a windows machine? The mac is cool but so what? Money is cooler. If i can buy a machine for less money, i'd definetly feel a lot cooler that the other guy spending more cash to get a mac and having less money.
Click to expand...
Sure, that you can drop an application into an MP3 player and it plays is a neat trick. You seem to be mixing the notions of security and abuse. I don't know of a platform that can prevent someone from writing an application that can do something abusive like wipe your files, start a DOS attack, or go to your password directory and start sending them out unless that platform is severely restricted in functionality (Java applets). However, some platforms are more resistant (not impervious) to things like buffer overrun/underrun.

I really don't understand your reasoning regarding viruses and the cost of the mac. I assume you bought your machine to get some task done as efficiently as possible (time is money). Viruses are an impedement to that efficiency, so are crashes, driver conflicts, overall system performanc and integration, etc. If you find that you can get your task done more efficiently on a Windows box then you probably should have bought one.
 
Don't you just love all our instant security experts here :D

Anyways, from Wired news:
The program exploits a vulnerability that goes back to the original Mac operating system...The vulnerability was exploited several times by Trojans authored for previous versions of the Mac OS.
Click to expand...

Sounds like old news to me and that it's not that big of a deal if it hasn't already been taken care of years later after knowing about it.

The program can't be spread by e-mail or through a file-sharing network unless it is compressed using software like Aladdin's Stuffit. Failing to compress the MP3 file before sending it renders the software inoperative.
Click to expand...
 
jxyama said:
patch should be easy in theory. apple just has to make finder behave consistently - if it displays a file as one type, it should act on it as that type when double-clicked. (this used to not be a problem when finder didn't depend on extensions to figure out what the file type icon to display.)
Click to expand...

Somebody has probably corrected you on this already. The file in question is identified as an "application" by the Finder, even though it doesn't look like one. It's that visual disception that is at issue.
 
Just as a thought for how Apple could consider providing a level of protection against this kind of thing. You know how alias icons have that little arrow? Well, what if Apple implemented a small symbol that would superimpose itself on top of the icon of a file to indicate whether it was an application file or a document file?

Just a thought.
 
byamabe said:
Whether the trojan horse actually opens word is irrelevant.
Click to expand...
Negative!

This is the worst type. The ones that affect your system without the user knowing.

If I double click on an icon and it does what it is supposed to do, such as play an mp3 song, then the user has no idea that his/her system has just been infected. That is the worry here.

Sushi
 
sushi said:
If I double click on an icon and it does what it is supposed to do, such as play an mp3 song, then the user has no idea that his/her system has just been infected. That is the worry here.
Click to expand...

If the user has double clicked the file, then it is too late, they have been owned. The trojan can do whatever damage it is going to do in the few seconds it takes for the user to realize that the file they just double clicked does nothing and they have tossed it into the trash. The damage is done.

Again, the only thing that is particularly interesting about this is the fact that it has the novelty of also being a valid MP3 file. The application delivered it's payload long before the music started playing.
 
Rincewind42 said:
If the user has double clicked the file, then it is too late, they have been owned. The trojan can do whatever damage it is going to do in the few seconds it takes for the user to realize that the file they just double clicked does nothing and they have tossed it into the trash. The damage is done.

Again, the only thing that is particularly interesting about this is the fact that it has the novelty of also being a valid MP3 file. The application delivered it's payload long before the music started playing.
Click to expand...
Yes, once you double click it is too late.

However, being owned has nothing to do with what I am talking about.

Sorry that I cannot go into more detail here...

Sushi
 
Virex not as good as Norton

I was just on Norton's site and they seem to have all the info. and know about mp3concept but on Mcafee Virex's site they don't have anything on it....Are they not as good as Norton? :confused:

Does this mean that Virex at the current time does not cover the trojan and norton does, or did they just not list anything(seems kinda strange tho)
 
musicpyrite said:
....unlike M$, they just deny it or give excuses.....
Click to expand...

I think that's a bit over the top... okay, wrong. They don't deny anything or they wouldn't have a daily patch. And they have only given excuses when the patch fails. They're on the threats as they are reported, and respond quite well, I might add. They just hope their users DO the patch, which they don't, which ruins their life or at least a weekend of it.
Bottom line is you can hate MS (which I do as well), but use just the facts. There's enough of those for everyone.
 
QCassidy352 said:
I was just about to post this. That's awful. Now people who don't know any better will think that there is actually a harmful virus out there that attacks macs.
Click to expand...

You bet. After YEARS of trying to tell folks not to worry, I STILL get letters from my users asking about the latest threats, which they are immune to. I was forced (actually my own choice) to purchase Kerio Mailserver with the MacAfee scanner and spam control. If you're not familiar with it, got to their site. Looks like a splendid solution. KERIO SITE
 
Fat Tony said:
And here we go... :rolleyes: Fresh off of CNN's homepage:

http://www.cnn.com/2004/TECH/internet/04/09/apple.trojan/index.html
Click to expand...

Ya know, I was worried about the ignorant jagoffs in the media blowing this out of proportion. The media is worse than the actual exploit! I just freakin' knew this was going to happen! :rolleyes: :mad: The author of that tripe needs to figure out what viruses and a trojans are before spewing BS.
 
wnurse said:
This is not a security problem with itunes. I'm as avid a mac user as any but people seem personally offended if a vulnerability of mac OS is revealed. This is a vulnerabilty of the OS itself
Click to expand...

Well, it depends where you draw the line as to what the OS is and what's an add-on. The OS I call the demark seems to be doing its part - it runs the application and handles the appleevents requested of it. Seems OK.

It looks like the problem is either in iTunes or Quicktime - I'm not sure how iTunes is coded, but whichever of them is responsible for validating the file type, it should confirm the validity of the media file. Being a CFM application should be a test of whether a file is a valid media file.

I suspect this check will be Apple's fix as it will address the problem and probably not break anything else. It should be implemented in QuickTime as that fixes all apps that take advantage of QuickTime. iTunes may need to be modified to use it in an appropriate way.

A previous poster was right in that MIME types in the filesystem is a good answer but that's 10 years from being standard.
 
Daniel Sieberg is his name.

How unfortunate of Mr. Sieberg to use such words as "virus", "attack", "prey", etc. Clearly, he has no idea, no clue...

Obviously, this entire publication is probably full of inaccuracies and half-truths...how am I to interpret the rest of the articles from cnn.com?

Sadly, from a PR point of view, the damage is done - even without any real threat existing now or several years ago!
 
Rincewind42 said:
Fortunately this trojan is also extremely fragile, if the resource fork isn't preserved, the application can't even launch. They could try to do it with a standard bundled application, but they would also have to compress/encode it to send it to anyone, and couldn't use the normally invisible .app extension (because two extensions are always shown by OS X).
Click to expand...

Darwin executables don't have resource forks, can use any (or no) extension, aren't necessarily binaries, and fdon't even need to be handed to the OS as files. Programs exploiting these characteristics generally need to ride on the back of an existing vulnerable program on the target system. The type of malware that can exploit this would use programs other than the Finder or Mac OS mechanisms to be activated, and there have been countless Unix vulnerabiities of this kind.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back