Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
No, this is a system message that shows the application in question, which in this case happens to be firefox. It looks the same in Safari...

screenshot20101031at323.png


Either way, you do not get scary details until you click Show Details...

I agree that Safari and Firefox could make the warning more explicit but the question is whether that would work or not. It's pretty easy to get a verifyable certificate.
 
I agree that Safari and Firefox could make the warning more explicit but the question is whether that would work or not. It's pretty easy to get a verifyable certificate.

A verified certificate would not guarantee success of this trojan because it requires two steps to complete infection.

1) Trick user to click "allow" at java applet prompt.
2) User enters password and authenticates at installer prompt.

Read the intego article. At the bottom it outlines means of protection.

Installer prompts ask for a password to install items that require elevated privileges (ie rootkit) and to install for all users. Both of these conditions are required by this trojan.
 

Attachments

  • Screen shot 2010-10-31 at 4.18.19 PM.png
    Screen shot 2010-10-31 at 4.18.19 PM.png
    22.4 KB · Views: 86
A verified certificate would not guarantee success of this trojan because it requires two steps to complete infection.

I'm aware of that. Read my previous posts in this thread. It seems that many people in this thread think that it is a warning sign that the certificate is self-signed (which is true) but the main problem is that you're allowing an application to access your computer.

If you look at downloading an exe file on windows, you will get a warning such as "this program may be able to harm your computer" or something to that effect. The question still is whether this warning actually works or if people just click OK anyway. In any case, the problem has nothing to do with Java.
 
If you look at downloading an exe file on windows, you will get a warning such as "this program may be able to harm your computer" or something to that effect. The question still is whether this warning actually works or if people just click OK anyway.

For unknowledgeable users on any OS, I don't think such prompts work once the user is lulled into complacency.

But, I know Windows users coming from using Windows XP admin accounts that are using Windows Vista or 7 admin accounts who do not understand the principles of UAC in relation to malware.

They either turn UAC off or click "ok" whenever it appears. They were never informed that they should use a standard account (which requires password authentication) for day to day use in Windows OSes, especially XP (password authentication via "Run as Administrator"), and still do not see UAC as anything other than an annoyance until they are explained otherwise.

In my experience, most non computer savvy Mac user have some understanding of the importance of password authentication and the implications of doing so. Also, I believe it is beneficial to have the default account created in an OS require password authentication as in Mac OS X because it makes users more aware of its function and most users stick with the default account that is created.
 
A verified certificate would not guarantee success of this trojan because it requires two steps to complete infection.

1) Trick user to click "allow" at java applet prompt.
2) User enters password and authenticates at installer prompt.

Read the intego article. At the bottom it outlines means of protection.

Installer prompts ask for a password to install items that require elevated privileges (ie rootkit) and to install for all users. Both of these conditions are required by this trojan.

A point that many of you are missing is that trojans and other social engineered malware are replacing viruses and worms as the main risk factor for any system. Recent versions of Windows at current patch levels aren't at much risk to traditional viruses and worms.

Therefore, the malware writers aren't focussing on virusses as much, they're working on trojans and drive-bys. And they'll focus on OSX and IOS as well as Windows.

Go ahead and be smug - but be careful.
 
That is, it can change all the things you can change without an admin password.

but the main problem is that you're allowing an application to access your computer.

If you are so concerned with applications having access to your system with the same privilege as the user, then you should no longer use any applications on any OS that accept any user defined inputs that can lead to such access.

This includes all client side apps such as web browsers, email clients, media players, office suites, instant messengers, online games, anti-virus software, etc.
 
If you are so concerned with applications having access your system with the same privilege as the user, then you should no longer use any applications on any OS that accept any user defined inputs that can lead to such access.

This includes all client side apps such as web browsers, email clients, media players, office suites, instant messengers, online games, anti-virus software, etc.

You're missing the point. I don't really have a problem since I know what I'm doing.
 
Of course, anyone who is vulnerable to these kinds of of attack will probably skip the above paragraph. In fact, they'll probably not use this forum or be able to disable Java either.

You're missing the point. I don't really have a problem since I know what I'm doing.

If you don't see any benefit in posting in this forum and you personally don't have an issue with security in relation to trojans, what is the point of you even bothering to post in these forums?

What are you trying to accomplish by doing so given that you admit that you don't think it will benefit anyone else or yourself?
 
If you don't see any benefit in posting in this forum and you personally don't have an issue with security in relation to trojans, what is the point of you even bothering to post in these forums?

What are you trying to accomplish by doing so given that you admit that you don't think it will benefit anyone else or yourself?

My initial reason was to explain that this is not a Java security flaw since a lot of people assumed it was. Then the discussion turned to whether there is any way to inform the casual user that he might be about to do something dangerous. I'm not exactly sure what your problem is.
 
My initial reason was to explain that this is not a Java security flaw since a lot of people assumed it was. Then the discussion turned to whether there is any way to inform the casual user that he might be about to do something dangerous. I'm not exactly sure what your problem is.

The information given out by the "applet" prompt on all OSes always states the same content such that users become complacent to that content. Nothing about changing the prompt will change user complacency.

You don't see any information to indicate anything specific about the certificate on any OS unless you click "show details" which everybody should do but many people do not.

Self-signed certificates are common on the web and in internal corporate networks because they do not cost any money. So making a distinction between self-signed or not self-signed is just going to lead to user complacency regarding self-signed certificates given that most unknowledgeable users do not understand the difference anyway.

Given that the damage due to accessing a system without elevated privileges is limited and can occur via numerous vectors, trying to emphasize the prompts (beyond the amount already performed) in relation to just one of these vectors is largely fruitless. Trojans use all of these different attack vectors to exploit systems.

Given that the damage due to accessing a system with elevated privileges is high and can be prevented in relation to trojans by understanding the prompt for authenticating elevating privileges, I was stating that understanding the behaviour of the authentication password prompt is more important than the applet prompt.

My point was not specifically directed at you but at the manner in which the content of your posts fit the context of this thread. Many individuals were stating that password authentication was not required for this trojan to be effective.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.