Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Macs are more vulnerable than people think.
They just have such a lower market share and percentage of users than Microsoft that its not worth it to write malware and virus's for them.

As Apple and OSX grows, this kind of thing will become more common and Apple will be more at risk
 
Are you purposefully ignoring my point ? Look, if you don't know and don't care about the finer points, don't reply or try to participate.

I'm curious how it auto-executes the installer because that can have potential damaging results for a user account, without privilege escalation. My data is all in my user account, I don't care about a few system files so much as I care about my data.

Can we please leave the bickering and "it's just an installer" out of it and discuss the technical requirements behind this malware so we can better understand it ?
No one is pointing fingers or bickering. I'm responding to your question. The only technical requirement that was satisfied is that the user had "Open "safe" files after downloading" selected. An app installer is not unsafe. Whether the app to be installed is safe or not is another matter, but the installer cannot harm your system or your user files, simply by launching. If you don't want apps... installers or otherwise... to launch after downloading, simply deselect that box.
Macs are more vulnerable than people think.
They just have such a lower market share and percentage of users than Microsoft that its not worth it to write malware and virus's for them.

As Apple and OSX grows, this kind of thing will become more common and Apple will be more at risk
The market share myth is exactly that: a myth. It doesn't hold water.
 
In Windows 7 you not only have the option to switch it on and off, you can also customize the intrusiveness of it, I find it much more user friendly than in OS X.

Switching off or turning down UAC in Windows also equally impacts the strength of MIC (Windows sandboxing mechanism) because it functions based on inherited permissions. Unix DAC in Mac OS X functions via inherited permissions but MAC (mandatory access controls -> OS X sandbox) does not. Windows does not have a sandbox like OS X.

UAC, by default, does not use a unique identifier (password) so it is more susceptible to attacks the rely on spoofing prompts that appear to be unrelated to UAC to steal authentication. If a password is attached to authentication, these spoofed prompts fail to work.

Having a password associated with permissions has other benefits as well.

So Safari auto-downloads, unarchives and auto-executes something, but you think it is safe because it's an installer ? :confused:

If "Open safe files after downloading" is turned on, it will both unarchive the zip file and launch the installer. Installers are marked as safe to launch because require authentication to complete installation.

I'm sorry, but I'm still curious about the "auto-execute" part. Why would it run the installer automatically after decompressing it. That sounds quite "unsafe" to me. Even without administrator privilege, that means code can still run that can affect the current user's account.

No harm can be done from just launching the installer. But, you are correct in that code is being executed in user space.

Code run in user space is used to achieve privilege escalation via exploitation or social engineering (trick user to authenticate -> as in this malware). There is very little that can be done beyond prank style attacks with only user level access. System level access is required for usefully dangerous malware install, such as keyloggers that can log protected passwords. This is why there is little malware for Mac OS X. Achieving system level access to Windows via exploitation is much easier.

Webkit2 will further reduce the possibility of even achieving user level access.
 
You're not quite understanding what I'm saying or the situation here. Safari auto-downloads a zip file, runs it through Archive Utility which extracts something and then runs it.

It happens to be an installer this time. What if next time it's a malicious piece of code ? Why did it auto-execute, under what conditions and could these conditions be used to execute something other than an installer ?

Think a bit beyond the current situation. The malware authors do.

I think I understands what you are saying. However, for the sake of clarity, let me answer your question relating to "why it auto-executed." The Safari protection level needs to be set to "Allow 'Safe' files to be opened."

This allows the Archive Utility to open the .zip file which contains the installation file to begin execution. Had the user not allowed this action, the file would never had made it to the user's computer without the user deliberate allowing it to be downloaded.

Once the installer is running, it still needs the user to enter and password and authorize the installer to install the software. If the user doesn't have the computer's administrator password, then once more the malware is blocked.

To address your other question, as to what conditions could malicious code get into OSX:

1. First, the file would need to be considered "safe" to be allowed to auto-download and auto-open, AND the browser would need to be set to allow this.
2. Then, like the case with the installer above, it would need to seek the user's permission to be installed. This again, required the complicity of the user, who would still need the administrator's password.
 
by default and design, Windows has been more secure than OSX for years now...Google it...!

Apple has no clue on security, never has had....


their 4% worldwide marketshare (or it might be less) keeps them safe and even if they weren't the user base is too small to be significant in the malware space.

A good (russian/chinese) coder can infect as many Windows machines in a week as Apple sell Macs in a year!!!

Wait for the first real iOS bust, it's coming...... so much money out there to hackers to make it work.
 
To compare Windows' extremely annoying UAC crap with the non-intrusive one-time authorization requests for newly-downloaded files on Mac OS X is ludicrous...not to mention the fact that OS X's user password validity lasts for a while after it is typed.

Conclusion: You've probably never really used OS X.

Well I've actually worked with technical support of OS X so...
Both the authorization in OS X and Windows UAC requires confirmation when any sw needs to write to the disk or access to certain system information. OS X doesn't only require authorization when installing an app (and updating, mind you) or running it for the first time, it also needs it when changing anything in the system.
UAC works exactly the same way, that 3rd party developers aren't making the effort to adapt their sw to a permission based OS and unnecesarily require admin rights isn't really MS fault.
As I said, I can't even think of any such sw on my Windows PC and I don't find UAC more annoying than OS X authorization in the least. I get the UAC prompt at the same times as I do in OS X, when installing/updating an application and changing system preferences, nothing else.

What do you mean, "Try Windows 7"? I've used and maintained every version of Windows from 98SE all the way up to 7. I even toyed around with 95 in a virtual machine from pure curiosity. Hell, I even have a Windows 7 boot camp partition.

I know exactly what Windows 7 is like. It comes with maintaining every computer at the house, several of the computers at the high school, fixing collegemates' computers, and being known as the neighborhood tech kid since age 14 (now 22, for reference).

Sorry, that last sentence wasn't aimed at you, it was more of a general statement about how some people simply dismiss everything that comes from MS without any personal experience. It's so obvious that they haven't used Win 7 and are only making assumptions, simply because it's cool to hate MS
 
their 4% worldwide marketshare (or it might be less) keeps them safe and even if they weren't the user base is too small to be significant in the malware space.
The market share argument is BS. It's been debunked in many of these threads.
 
No one is pointing fingers or bickering. I'm responding to your question. The only technical requirement that was satisfied is that the user had "Open "safe" files after downloading" selected. An app installer is not unsafe. Whether the app to be installed is safe or not is another matter, but the installer cannot harm your system or your user files, simply by launching. If you don't want apps... installers or otherwise... to launch after downloading, simply deselect that box.

Wait, the "Open Safe files" bit was for the zip archive, which runs it through Archive Utility. What then auto-executes an installer ? You're suggesting Safari somehow knows that the zip archive contains an installer and that it is indeed an installer and then executes it.

Do you have any proof of this ? I've been trying to get my hands on the zip archive itself to inspect it but no luck, as Google is now swamped with "news" about this thing that just rehashes what you just said.

Basically, the details you provide here are nothing I already don't know about the current situation, I am asking for more here. Not just "deselect" that box, but rather what else can be auto-executes and what else is considered "safe".

I don't use Safari, I'm not at risk, but I'd still like to know the details of this.

That's why I say you purposefully ignore my point. My point is let's dissect and understand this thing, not glance over it like the current news outlet, heck even Intego's description does. That's why I don't like Intego, they just spread FUD without ever explaining anything and mark everything as a "virus" (their Virus X-barrier says VIRUS FOUND! when it finds malware that isn't a virus...).

1. First, the file would need to be considered "safe" to be allowed to auto-download and auto-open, AND the browser would need to be set to allow this.
2. Then, like the case with the installer above, it would need to seek the user's permission to be installed. This again, required the complicity of the user, who would still need the administrator's password.

How can anything be considered safe in this scenario ? We have a compressed archive and an executable file. Both are rather unsafe. Especially the executable file. I don't care that it is an installer, no executable file is safe. What if the "installer" had some payload code on launch, before privilege escalation ?

This is what I'm interested in knowing, how is this thing packaged so that it gets auto-executed. You aren't answering my question either. I'm technical enough I think that I already understood what you and the Studios guy are "trying to explain to me", but you both fail to understand the underlying question :

Why is this thing auto-executing ? I know it's because Safari considers it safe since the user checked the safe box, that's in the article. I want to know why is an executable file being launched after a zip file was uncompressed and how does Safari know this is "safe" ?

Both of you are only repeating the same stuff that's in the media. I want the details, not the media overview. I want the archive itself if possible. Let's find it, dissect it, understand it. If Apple needs to modify some defaults, let's ask for that.
 
The market share myth is exactly that: a myth. It doesn't hold water.



Its not a myth, we've interviewed hackers after conviction, they have no interest in pursuing Macs due to the numbers. To get a really good and useful bot net you'd need roughly 25% of the entire user base!!!!

these guys deal in tens of millions!
 
I'm curious how it auto-executes the installer because that can have potential damaging results for a user account, without privilege escalation. My data is all in my user account, I don't care about a few system files so much as I care about my data.

It auto-executes the installer because installers are marked as safe if "open safe files after downloading" is turned on.

This is not an example of shellcode being injected into a running application to execute code in user space.
 
Its not a myth, we've interviewed hackers after conviction, they have no interest in pursuing Macs due to the numbers. To get a really good and useful bot net you'd need roughly 25% of the entire user base!!!!

these guys deal in tens of millions!
That's completely false. The current installed base of Macs is around 100 million, and it grows by over a million Macs per month. You don't need a certain percentage of market share for a useful botnet; you need numbers. You talking to a handful of hackers is hardly conclusive. I can interview a handful of people in my neighborhood and find a consensus on any number of falsehoods. Get some facts (rather than making stuff up) and then re-join the discussion.
 
It auto-executes the installer because installers are marked as safe if "open safe files after downloading" is turned on.

Fine, so I can write an installer that will just wipe your user account while you read my EULA and you'll happily execute it because "hey, it's just an installer" ? :rolleyes:

This is not an example of shellcode being injected into a running application to execute code in user space.

This is not, but I'm interested in the mechanics because next time, it could very well be. That's my point. Some of you guys aren't cut out for computer security...
 
Bravo, this is the funniest post ever.

I bet there's a lot of fan bois with soiled underwear.

Could it be true? Their perfect computers now quite vulnerable.

Ya gotta love it...the slap of reality :) :) :)

…and in come the Engadget trolls… ;)

Reality check is that I make 75% of my part-time communications and IT work from Windows based systems, fixing errors, virus removal, bloatware, instaling third party software such as mail, photo and calendar apps (Office), configuring their WLAN to work properly, et al.

My OS X work, mostly teaching people how to use OS X (Apple's One on One but without the noise and lack of experience from minimum wage "Creatives"). Funny how the switchers fall in love with OS X and never switch back to Windows.

Not knocking it, I got W7 on one of my 6-Core Mac Pro SATA bays and it runs amazingly. Of course, some of this is due to the hardware and drivers supplied by Apple, making it seamless as opposed to writing code for a myriad of hardware profiles…

Bottom line, both are good, but Windows would be better following Apple's lead in producing the hardware with the product, ensuring less compatibility issue and adopting EFI (Bios? REALLY?). Course this would mean millions of large businesses reinvesting in MS built hardware, and with MS's product quality/industrial design, I'm not betting on it...
 
Last edited by a moderator:
It auto-executes the installer because installers are marked as safe if "open safe files after downloading" is turned on.

This is not an example of shellcode being injected into a running application to execute code in user space.

A smart hacker will simply feed Safari the data it looks for when verifying a file is an installer. Once that's done, do what you want with the person's computer. It isn't rocket science, it just takes time and effort, something many hackers would rather spend on windows-based PCs.

EDIT: Because trolls will feed on anything, what i meant is that's what you'd have to do to run code without user permission. The code couldn't do much other than delete everything in your home folder but... Well, it can delete everything in your home folder. To be perfectly honest though, whoever doesn't back that stuff up is asking for trouble considering it doesn't even take malware to lose your data.
 
Last edited:
Fine, so I can write an installer that will just wipe your user account while you read my EULA and you'll happily execute it because "hey, it's just an installer" ? :rolleyes:

Is anybody actually bothering to do this in the wild against any OS?

This is not, but I'm interested in the mechanics because next time, it could very well be. That's my point. Some of you guys aren't cut out for computer security...

The types of attacks you are referring to are not occurring in the wild on a massive scale. When was the last time you heard about one in the media?

At the moment, there is no way to prevent the kinds of attacks you are referring to on any OS if a vulnerability exists that allows the attacker to exploit a running application.

Webkit2 will reduce access to user space when Safari (or any app using webkit2) is exploited by restricting the privileges of apps on a per app basis.

Turn off "Open safe files after downloading" if you are worried about that type of attack implemented via "safe" files.
 
Well, we have indisputable proof now! :rolleyes:

google...

'windows more secure than OSX'

check the results, you have people who are professional coders telling it how it is... and has been since 2007.

ignorance of facts doesn't equal knowledge, if no one is trying to break the door down you don't need a big lock.
 
A smart hacker will simply feed Safari the data it looks for when verifying a file is an installer. Once that's done, do what you want with the person's computer. It isn't rocket science, it just takes time and effort, something many hackers would rather spend on windows-based PCs.

All successful malware includes privilege escalation via exploitation. This does not. That is why malware never has become successful in OS X and is becoming less successful in Windows. The big issue with Windows in the past was the default account in Windows XP (admin) runs with elevated privileges by default so privilege escalation was not required for system level access.
 
Such a load of crap that is.

'we've interviewed hackers after conviction'

:rolleyes:

I work for one of the biggest bank in the world and specialise in bank fraud, we liaise with the major law enforcement group all over the world.

Cutting a deal with a hacker, if we can get one who's up high enough can save millions....with the right info.

mac users tend to be socially engineered via simpler methods anyway, wonder why that is...? :rolleyes:
 
google...

'windows more secure than OSX'

check the results, you have people who are professional coders telling it how it is... and has been since 2007.

ignorance of facts doesn't equal knowledge, if no one is trying to break the door down you don't need a big lock.

I think the reality is in front of us. There's no need to google it.
 
All successful malware includes privilege escalation via exploitation. This does not. That is why malware never has become successful in OS X and is becoming less successful in Windows. The big issue with Windows in the past was the default account in Windows XP (admin) runs with elevated privileges by default so privilege escalation was not required for system level access.

Man in the browser is now the biggest issue for all OS's, malware wise.

All the info. happens via the browser, there is no point attacking anything else.
 
Is anybody actually bothering to do this in the wild against any OS?

The types of attacks you are referring to are not occurring in the wild on a massive scale. When was the last time you heard about one in the media?

Again, look, if you're not interested in the mechanics, that's fine. Stop replying to me.

My post is inquiring about the mechanics. For the past hour, I've been trying to find how this thing ticks by searching around for in-depth articles (none to find, everyone just points to Intego's brief overview that is seriously lacking in details) or for the archive itself.

If you don't want to take this discussion to the technical level I am trying to take it, just don't participate.

At the moment, there is no way to prevent the kinds of attacks you are referring to on any OS if a vulnerability exists that allows the attacker to exploit a running application.

I don't know of any other Web browser (this is not a OS problem, it's a Safari problem). that automatically assumes executables are safe and thus should be auto-executed.

Webkit2 will reduce access to user space when Safari (or any app using webkit2) is exploited by restricting the privileges of apps on a per app basis.

What does Webkit2 have anything to do with running an installer on the OS after downloading it ? That happens outside the rendering engine's sandbox. You're not quite understanding what this sandbox does if you think this protects you against these types of attacks.

Turn off "Open safe files after downloading" if you are worried about that type of attack implemented via "safe" files.

I think you missed the part where I don't use Safari. I'm pretty far away from allowing it to "auto-run" "safe" files (I choose what I want to run).

Again munkery, I appreciate you taking the time to respond, but I'm not some noob user. You are not answering my inquiries nor helping any here at the level I want to discuss this. I get everything you are saying. I've been getting that level for quite a few years. I'm trying to discuss at another level here. Do you want to participate or not at a higher level where we discuss the actual mechanics of this rather than just starring at the tip of the iceberg ?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.