Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
The installer is marked as safe to auto-execute if "open safe files after downloading" is turned on.

This is again just brushing over the issue. You're again not helping. I get all the rest. I even get this part. I want to know more about this part in particular though. What is "an installer" but an executable file and what prevents me from writing "an installer" that does more than just "installing". What is so special about installers that would prevent a malicious payload (without privilege escalation, unless you were to exploit a local privilege escalation bug) from auto-executing ?

This is my point and this is what I'm trying to dissect here. This sentence of yours is the tip of the iceberg. Let's go deeper here. You keep repeating this non-sense that's everywhere on the web and that I've read and told you thousands of times that I understand.

Installers being marked as safe really doesn't increase the likelihood of user level access as the Javascript exploit already provided user level access. I don't understand why you are hung up on this installer being able to auto-execute; it really makes no difference in terms of user level access. The attacker could have deleted your files with just the Javascript exploit.

I don't know of any Javascript DOM manipulation that lets you have write/read access to the local filesystem. This is already sandboxed.

Let's face it, auto-downloads are not a Javascript exploit, they're a feature used on many sites these days : "Your download will auto-start in 5 seconds, click here if it doesn't work". It's not uncommon and quite not the issue here.

The issue is Safari is launching an executable file that sits outside the browser sandbox.

I'm beginning to suspect you don't quite understand what is going on here. I think it's not my technical knowledge that is at issue here, it's your understanding of my point. Again, stop replying to me if all you want to do is discuss the tip of the iceberg covered by the press. I don't care about that, I read that, it raises more questions for me than it answers.
 
so a very small percentage of the market will be using it (the better tech) then?

if IE or FF don't do something similar then it won't really matter from a cybercrime point of view as 'no one' uses Safari and only the foolish use Chrome.

sad really..

I read somewhere that Chrome may drop it's own sandbox in favour of Webkit2 given that Chrome is based on Webkit.

Webkit2 will sandbox plugins, rendering engine, and scripting engine (Javascript) from the UI frame and that sandbox will be the same regardless of the user account type running on the Mac, even root.

IE sandboxes tab processes from each other and the UI frame but it does not sandbox the plugins, rendering engine, and scripting engine from the tab processes.

Also, the Windows sandbox is turned off or lessened if the user turns off UAC or lessens UAC restrictions. This effect of UAC on Windows sandbox also affects Chrome on Windows given that Chrome uses that technology to achieve it's sandbox in Windows. So, do not disable or reduce UAC in Windows!

You have to remember a browsers sandbox is based on the sandbox technology of the underlying OS. Windows sandbox is based on inherited permissions much like the older sandbox technology called Unix DAC that has always been implemented in the default user account in OS X. The newer sandbox in OS X, the TrustedBSD MAC framework, does not function via inherited permissions.
 
Is your info from like 1993 ? Because this little known version of Windows dubbed "New Technology" or NT for short brought along something called the NTFS (New Technology File System) that has... *drumroll* ACLs and strict permissions with inheritance...

Unless you're running as administrator on a Windows NT based system, you're as protected as a "Unix/Linux" user. Of course, you can also run as root all the time under Unix, negating this "security".

Until Vista and Win 7, it was effectively impossible to run a Windows NT system as anything but Administrator. To the point that other than locked-down corporate sites where an IT Professional was required to install the Corporate Approved version of any software you need to do your job, I never knew anyone running XP (or 2k, or for that matter NT 3.x) who in a day-to-day fashion used a Standard user account.

In contrast, an "Administrator" account on OS X was in reality a limited user account, just with some system-level privileges like being able to install apps that other people could run. A "Standard" user account was far more usable on OS X than the equivalent on Windows, because "Standard" users could install software into their user sandbox, etc. Still, most people I know run OS X as Administrator.

The real differenc, though, is that an NT Administrator was really equivalent to the Unix root account. An OS X Administrator was a Unix non-root user with 'admin' group access. You could not start up the UI as the 'root' user (and the 'root' account was disabled by default).

All that having been said, UAC has really evened the bar for Windows Vista and 7 (moreso in 7 after the usability tweaks Microsoft put in to stop people from disabling it). I see no functional security difference between the OS X authorization scheme and the Windows UAC scheme.

I'd say it's people that try to just lump all malware together in the same category, making a trojan that relies on social engineering sound as bad as a self-replicating worm that spreads using a remote execution/privilege escalation bug that are quite ignorant of general computer security.

Absolutely. I think it is absolutely critical to discern between a social-engineering attack (ie, one that requires a user to take some action unwittingly) from an automated attack (a classic virus or worm). The latter is certainly less common these days (although the "big boys" wanting to send Iranian nuclear reactors into convulsions seem to be keeping the dark art of worming alive and well), and so a typical user is much more likely to fall victim to a phishing scam than to get something nasty like the Asuza virus which wipes out their hard drive after an incubation period.

From the main "security firms", though, the money is in making all malware seem automated and thus only able to be countered by an automated virus detection/isolation utility. There just isn't much money in telling people to not click "Install" when MACDefender's installer comes up while looking through Google Images.
 
What is "an installer" but an executable file and what prevents me from writing "an installer" that does more than just "installing".

My response, why bother worrying about this when the attacker can do the same thing via shellcode generated in the background by exploiting a running process so the the user is unaware that code is being executed on the system.

I don't know of any Javascript DOM manipulation that lets you have write/read access to the local filesystem. This is already sandboxed.

The scripting engine in the current Safari is not yet sandboxed.

Here is a list of Javascript vulnerabilities:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Mac+OS+X+Javascript

The issue is Safari is launching an executable file that sits outside the browser sandbox.

In the current Safari, only some plugins are sandboxed, so this wasn't execution outside the sandbox.

All that having been said, UAC has really evened the bar for Windows Vista and 7 (moreso in 7 after the usability tweaks Microsoft put in to stop people from disabling it). I see no functional security difference between the OS X authorization scheme and the Windows UAC scheme.

Except this:

Switching off or turning down UAC in Windows also equally impacts the strength of MIC (Windows sandboxing mechanism) because it functions based on inherited permissions. Unix DAC in Mac OS X functions via inherited permissions but MAC (mandatory access controls -> OS X sandbox) does not. Windows does not have a sandbox like OS X.

UAC, by default, does not use a unique identifier (password) so it is more susceptible to attacks the rely on spoofing prompts that appear to be unrelated to UAC to steal authentication. If a password is attached to authentication, these spoofed prompts fail to work.

Unix DAC is turned off in OS X in the root user account.
 
Last edited by a moderator:
Until Vista and Win 7, it was effectively impossible to run a Windows NT system as anything but Administrator. To the point that other than locked-down corporate sites where an IT Professional was required to install the Corporate Approved version of any software you need to do your job, I never knew anyone running XP (or 2k, or for that matter NT 3.x) who in a day-to-day fashion used a Standard user account.

Of course, I don't know of any Linux distribution that doesn't require root to install system wide software either. Kind of negates your point there...

In contrast, an "Administrator" account on OS X was in reality a limited user account, just with some system-level privileges like being able to install apps that other people could run. A "Standard" user account was far more usable on OS X than the equivalent on Windows, because "Standard" users could install software into their user sandbox, etc. Still, most people I know run OS X as Administrator.

You could do the same as far back as Windows NT 3.1 in 1993. The fact that most software vendors wrote their applications for the non-secure DOS based versions of Windows is moot, that is not a problem of the OS's security model, it is a problem of the Application. This is not "Unix security" being better, it's "Software vendors for Windows" being dumber.

It's no different than if instead of writing my preferences to $HOME/.myapp/ I'd write a software that required writing everything to /usr/share/myapp/username/. That would require root in any decent Unix installation, or it would require me to set permissions on that folder to 775 and make all users of myapp part of the owning group. Or I could just go the lazy route, make the binary 4755 and set mount opts to suid on the filesystem where this binary resides... (ugh...).

This is no different on Windows NT based architectures. If you were so inclined, with tools like Filemon and Regmon, you could granularly set permissions in a way to install these misbehaving software so that they would work for regular users.

I know I did many times in a past life (back when I was sort of forced to do Windows systems administration... ugh... Windows NT 4.0 Terminal Server edition... what a wreck...).

Let's face it, Windows NT and Unix systems have very similar security models (in fact, Windows NT has superior ACL support out of the box, akin to Novell's close to perfect ACLs, Unix is far more limited with it's read/write/execute permission scheme, even with Posix ACLs in place). It's the hoops that software vendors outside the control of Microsoft made you go through that forced lazy users to run as Administrator all the time and gave Microsoft such headaches.

As far back as I remember (when I did some Windows systems programming), Microsoft was already advising to use the user's home folder/the user's registry hive for preferences and to never write to system locations.

The real differenc, though, is that an NT Administrator was really equivalent to the Unix root account. An OS X Administrator was a Unix non-root user with 'admin' group access. You could not start up the UI as the 'root' user (and the 'root' account was disabled by default).

Actually, the Administrator account (much less a standard user in the Administrators group) is not a root level account at all.

Notice how a root account on Unix can do everything, just by virtue of its 0 uid. It can write/delete/read files from filesystems it does not even have permissions on. It can kill any system process, no matter the owner.

Administrator on Windows NT is far more limited. Don't ever break your ACLs or don't try to kill processes owned by "System". SysInternals provided tools that let you do it, but Microsoft did not.

All that having been said, UAC has really evened the bar for Windows Vista and 7 (moreso in 7 after the usability tweaks Microsoft put in to stop people from disabling it). I see no functional security difference between the OS X authorization scheme and the Windows UAC scheme.

UAC is simply a gui front-end to the runas command. Heck, shift-right-click already had the "Run As" option. It's a glorified sudo. It uses RDP (since Vista, user sessions are really local RDP sessions) to prevent being able to "fake it", by showing up on the "console" session while the user's display resides on a RDP session.

There, you did it, you made me go on a defensive rant for Microsoft. I hate you now.

My response, why bother worrying about this when the attacker can do the same thing via shellcode generated in the background by exploiting a running process so the the user is unaware that code is being executed on the system

Because this required no particular exploit or vulnerability. A simple Javascript auto-download and Safari auto-opening an archive and running code.

Why bother, you're not "getting it". The only reason the user is aware of MACDefender is because it runs a GUI based installer. If the executable had had 0 GUI code and just run stuff in the background, you would have never known until you couldn't find your files or some chinese guy was buying goods with your CC info, fished right out of your "Bank stuff.xls" file.

That's the thing, infecting a computer at the system level is fine if you want to build a DoS botnet or something (and even then, you don't really need privilege escalation for that, just set login items for the current user, and run off a non-privilege port, root privileges are not required for ICMP access, only raw sockets).

These days, malware authors and users are much more interested in your data than your system. That's where the money is. Identity theft, phishing, they mean big bucks.
 
Last edited:
UAC is simply a gui front-end to the runas command. Heck, shift-right-click already had the "Run As" option. It's a glorified sudo. It uses RDP (since Vista, user sessions are really local RDP sessions) to prevent being able to "fake it", by showing up on the "console" session while the user's display resides on a RDP session.

There, you did it, you made me go on a defensive rant for Microsoft. I hate you now.

Here is a list of privilege escalation (UAC bypass) vulnerabilities just related to Stuxnet (win32k.sys) in Windows in 2011:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k.sys+2011

Here is a list of all of the privilege escalation vulnerabilities in Mac OS X in 2011:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Mac+OS+X+privileges+2011

These days, malware authors and users are much more interested in your data than your system. That's where the money is. Identity theft, phishing, they mean big bucks.

Provide an example of malware that only includes user level access being used in the wild as per your description that can not be prevented with user knowledge?
 
Here is a list of privilege escalation (UAC bypass) vulnerabilities just related to Stuxnet (win32k.sys) in Windows in 2011:

Vulnerabilities are found in everything. It's not like sudo, RBAC or any other Unix scheme that's similar to Windows' UAC/RunAs has been vulnerability free all these years. This is besides the point that UAC is not somehow inferior. It's just an implementation of limited privilege escalation, same as you find on Unix systems. "Unix security" is not being any better here.

Provide an example of malware that only includes user level access being used in the wild as per your description that can not be prevented with user knowledge?

Have I claimed such a beasts exists ? No. Why should I then be made to provide an example of it ?
 
Vulnerabilities are found in everything. It's not like sudo, RBAC or any other Unix scheme that's similar to Windows' UAC/RunAs has been vulnerability free all these years. This is besides the point that UAC is not somehow inferior. It's just an implementation of limited privilege escalation, same as you find on Unix systems. "Unix security" is not being any better here.

Really,

Here is a list of privilege escalation (UAC bypass) vulnerabilities just related to Stuxnet (win32k.sys) in Windows in 2011:

http://cve.mitre.org/cgi-bin/cvekey....in32k.sys+2011

Here is a list of all of the privilege escalation vulnerabilities in Mac OS X in 2011:

http://cve.mitre.org/cgi-bin/cvekey....rivileges+2011

BTW, the system call for that local in OS X was no longer needed so it was removed from OS X. It was only used in relation to 32 bit processes.

Have I claimed such a beasts exists ? No. Why should I then be made to provide an example of it ?

Why are you going on and on about something that is not a common threat in the wild?
 
Last edited:
Switching off or turning down UAC in Windows also equally impacts the strength of MIC (Windows sandboxing mechanism) because it functions based on inherited permissions. Unix DAC in Mac OS X functions via inherited permissions but MAC (mandatory access controls -> OS X sandbox) does not. Windows does not have a sandbox like OS X.

UAC, by default, does not use a unique identifier (password) so it is more susceptible to attacks the rely on spoofing prompts that appear to be unrelated to UAC to steal authentication. If a password is attached to authentication, these spoofed prompts fail to work.

Having a password associated with permissions has other benefits as well.



If "Open safe files after downloading" is turned on, it will both unarchive the zip file and launch the installer. Installers are marked as safe to launch because require authentication to complete installation.



No harm can be done from just launching the installer. But, you are correct in that code is being executed in user space.

Code run in user space is used to achieve privilege escalation via exploitation or social engineering (trick user to authenticate -> as in this malware). There is very little that can be done beyond prank style attacks with only user level access. System level access is required for usefully dangerous malware install, such as keyloggers that can log protected passwords. This is why there is little malware for Mac OS X. Achieving system level access to Windows via exploitation is much easier.

Webkit2 will further reduce the possibility of even achieving user level access.

The article suggested that the installer completed itself without authentication. I don't see how that is possible unless you are using the root account or something. It would give sudo access, but even still you'd get SOME dialog box :confused:
 
Really,

BTW, the system call for that local in OS X was no longer needed so it was removed from OS X. It was only used by 32 bit processes.

Bugs are not flaws in a security model. They have nothing to do with "Unix security" being better. Stop hammering that point, it's not even valid.
 
After seeing at least two posters refer to this as a "virus", I'm sitting here doing a face palm. One more "it's a virus" comment and I'm moving up to the double face palm...

Actually there are at least five posters adding to the confusion by promulgating such ignorance. I've added maclaptop, turbobass, ElCidRo, campingsk8er, ciTiger to my permanent "ignore" list from this one thread alone.
 
Bugs are not flaws in a security model. They have nothing to do with "Unix security" being better. Stop hammering that point, it's not even valid.

Bugs are flaws in the overall security model. Part of an OSs security model includes the implementation of exploit mitigations. The best exploit mitigation is to have as few bugs as possible. Obviously, in relation to privilege escalation, OS X has far fewer bugs.
 
Except this is not a virus. Some of you guys need a course on malware terminology. This is a trojan at best. Spyware at worst. Hardly a virus.

Exactly, everyone always talks about Macs being susceptible to viruses and viruses already existing for Macs, then they give the whole "market share" speech. I'm just sitting here virus and malware free laughing :p and most likely will be even if Apple gains market share. I'm a halftime Windows user, and I see soooo many security problems in it, but the MS fanboys blame market share!

I will say that market share DOES up the number of attacks on something, which is why Windows gets attacked so much, but it's also much much easier to attack than Mac OS.
 
Bugs are flaws in the overall security model.

Bugs are flaws in the implementation, not the model, at least for those you are referring to. Unless you have a model flaw to demonstrate (like the SSL protocol of 2009 bug) you're being completely besides the point.

Part of an OSs security model includes the implementation of exploit mitigations. The best exploit mitigation is to have as few bugs as possible. Obviously, in relation to privilege escalation, OS X has far fewer bugs.

Again, this has nothing to do with the "Unix security model", only to less known bugs.

At this point, I doubt you're even interested in having a serious discussion on this issue... I think I'll just stop replying to you.
 
Problems with Windows security in comparison to Mac OS X presented just in this thread:

1) Greater number of privilege escalation vulnerabilities:

Here is a list of privilege escalation (UAC bypass) vulnerabilities just related to Stuxnet (win32k.sys) in Windows in 2011:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=win32k.sys+2011

Here is a list of all of the privilege escalation vulnerabilities in Mac OS X in 2011:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Mac+OS+X+privileges+2011

2) Earlier versions of NT based Windows (Windows XP and earlier) do not use discretionary access controls by default.

3) Permissions system does not include a user defined unique identifier (password) by default. More susceptible to user space exploitation leading to authentication stolen via spoofed prompt that appears unrelated to UAC because password not associated with authentication.

4) Windows sandbox mechanism relies on inherited permissions so that turning off UAC turns off the sandbox. This sandbox has been defeated in the wild (in the last two pwn2owns).

I do not know of any TrustedBSD MAC framework (BSD and Mac sandbox), AppArmor (openSUSE and Ubuntu), or SE Linux (Fedora) mandatory access control escapes? These sandbox mechanisms do not rely on inherited permissions.

5) The Windows registry is a single point of failure that can be leveraged by malware.

EDIT:

If malware doesn't need to use some method to achieve privilege escalation or actively phish users for their credit card number to be profitable enough to warrant their creation, then why did the specific example of malware that started this thread rely on these methods to be profitable?

Why did it not use the methods presented by KnightWRX? Why do you not see malware that only uses user level access to upload a user's data files to achieve some effect that is profitable? I can't recall any malware that uses this method.

Is it because most users do not have valuable info stored in insecure data files? I keep that type of info in encrypted secured notes in Keychain Access or in encrypted sparse bundle disk images.

Is it because it would require too much time to data mine the files for valuable info in relation to the amount of profit gained? How many GBs of data are on your system? Even the data I keep in encrypted sparse bundle disk images wouldn't be very useful for identity theft even if it was not encrypted.

Is it because given all the variables it is more cost effective to go after achieving system level access to keystroke log passwords protected by user space security mechanisms or simply to use basic phishing scams on unknowledgeable users? Makes sense to me but maybe I am wrong.
 
Last edited by a moderator:
Information?

If anyone has information on how to download this file, as well as an apple id, please visit this page

thanks
 
Mac OS X fanboys really need to stop clinging to the mentality that "viruses" don't exist for OS X and that "malware" is a Windows-only problem. Who cares if viruses don't exist for OS X? News flash: viruses aren't all that common on Windows anymore. They just aren't. Phishing, Spear Phishing, trojans, and social engineering are much more cost- and time-effective ways to breach a computer's security.

So no matter what you call "MACDefender," it's a problem. One that's not likely to be caught by a user who has been fed the Koolaid that malware is a Windows problem and that they don't need to be aware.

Can you for once write something truthful? Why are you even here. Windows viruses are more rampant than ever before, trust me I remove them for a living and it eats up a good chunk of my work week.

As for your constant "fanboy" comments I think calling people "fanboys" should get you the ban hammer. No one wants to hear it anymore. They just don't. Oh, and for the "koolaid" cliche? Real original :rolleyes: Haven't heard that a million times.

You obviously know nothing about Windows or Mac if you honestly believe the FUD you constantly put on this forum.
 
Last edited:
Can you for once write something truthful? Why are you even here. Windows viruses are more rampant than ever before, trust me I remove them for a living and it eats up a good chunk of my work week.

As for your constant "fanboy" comments I think calling people "fanboys" should get you the ban hammer. No one wants to hear it anymore. They just don't. Oh, and for the "koolaid" cliche? Real original :rolleyes: Haven't heard that a million times.

You obviously know nothing about Windows or Mac if you honestly believe the FUD you constantly put on this forum.

Agreed. Also, "fanboy" counts as a personal insult, which is against the rules. I almost got banned for calling some moron a moron (he was complaining about how he didn't care about an article, and I asked him why he clicked on it).

If that guy thinks that MACDefender (not a virus) is an issue, he would faint if he saw a Windows virus.
 
Just another reason for people to use Firefox. Safari is bloated in my opinion anyways.

But regardless, this is hardly a threat and I don't see what the big deal over it is. From what I can tell, this malware is downloaded on user error. Not only do you have to have Safari open "safe" files, but you also have to visit the site in order to download it, which by now I assume Safari will warn you about anyways.

If this is the result of computer geniuses trying their attempt at a Mac virus, then I'm not worried about the future security of my Mac at all.
 
Unchecking a single box isn't justification for switching browsers. If you don't like Safari, fine. But this isn't a reason for anyone to leave Safari.

Yeah. I actually like Safari way more than anything else because of all of the features and integration with Mac OS X that Firefox and Chrome lack. Also, Chrome hogs RAM, and Firefox takes a while to start. Don't even talk about IE :rolleyes:

And for me Firefox seems MORE bloated, but I haven't really run any tests. I've tested Chrome just to respond to eMails from my friend, a Google fanboy, about Chrome being "faster". :D
 
Just another reason for people to use Firefox. Safari is bloated in my opinion anyways.

But regardless, this is hardly a threat and I don't see what the big deal over it is. From what I can tell, this malware is downloaded on user error. Not only do you have to have Safari open "safe" files, but you also have to visit the site in order to download it, which by now I assume Safari will warn you about anyways.

If this is the result of computer geniuses trying their attempt at a Mac virus, then I'm not worried about the future security of my Mac at all.

In addition, you have to click through an installer and enter your password then enter your credit card :rolleyes:
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.