Warning; your Mac could get Raped!

Scarlet Fever

macrumors 68040
Original poster
Jul 22, 2005
3,265
0
Bookshop!
from here

ANNOYED AT Apple fanboy smugness, an anonymous independent insecurity expert has developed a worm for the Apple OSX.
The bloke, who goes by the handle of "Information Security Sellout" has developed a worm that targets an unknown vulnerability affecting OSX.

In his bog, Information Security Sellout claimed that his proof-of-concept worm could gain root access. His worm was based on a variation of mDNSResponder vulnerabilities that Apple had previously patched.

He had also tested it on a network of approximately 1,500 OS X systems.

His version, called "Rape", only snuffles in a LAN, but he says it would not take much extra work for the worm to attack down the Internet tubes.

When his research is finished he says he will give it to Apple to have a look at. However looking at the comments in his bog it appears his actions have caused a crisis of faith among Apple fanboys. There are the usual death threats but what is sad is that many of them are completely convinced that a worm in an Apple is impossible.
it's awesome how a POC gets media attention, while 114,000 viruses last year for PCs gets nothing :rolleyes:
 

Queso

Suspended
Mar 4, 2006
11,824
7
Interestingly enough the Security Focus page doesn't list 10.4.10 as being vulnerable. Could this already have been patched?
 

DoFoT9

macrumors P6
Jun 11, 2007
17,530
32
Singapore
Interestingly enough the Security Focus page doesn't list 10.4.10 as being vulnerable. Could this already have been patched?
yes apple is relly quite good at patches for software holes.. i think 10.4.10 might have already fixed it :) GO APPLE!!!!!!!
 

Killyp

macrumors 68040
Jun 14, 2006
3,860
5
:D:D

It's actually an example of how insecure PC users can be about the whole virus issue, to the extent that they feel the need to write a worm/virus for other platforms because they're annoyed with how smug the users of other platforms are.
 

Scarlet Fever

macrumors 68040
Original poster
Jul 22, 2005
3,265
0
Bookshop!
Hopefully Apple has already made a patch for this...
From here:
Vulnerable: Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
looks like it either hasn't been tested in 10.4.10, or it's been patched
 

epochblue

macrumors 68000
Aug 12, 2005
1,671
0
Nashville, TN
My understanding is that the "researcher" hasn't proved the viability of the attack outside of his/her lab yet. Until he/she does, I'm inclined to think he/she's just blowing smoke.

I'm all for an OS X worm, who knows, maybe it'll quiet all the "OS X IS INVINCIBLE!" types and all the haters can stop thinking that every Mac user is a smug SOB.
 

Nightkrawler

macrumors regular
Sep 4, 2006
171
0
Vienna, Austria
I dont know if 10.4.10 is still vulnerable, but it is possible to disable mdns (Bonjour) with the opensource app "lingon".

http://lingon.sourceforge.net/

Go to the tab "System Daemons" and disable "com.apple.mDNSResponder".
Im not 100% sure if this fixes the hole, but the text says "Using a currently undisclosed vulnerability in mDNSResponder..." so this might be right.
Bonjour related stuff (Printers, ichat, the adium bonjour plugin...) wont work when mdnsResponder is deactivated.
Be careful, if you mess with other system daemons you might wreck your system, i cannot guarantee that it closes the hole since i have no samples of the worm.

Maybe someone who has more Information about Bonjour could confirm this :eek:
 

xUKHCx

Administrator emeritus
Jan 15, 2006
12,587
6
The Kop
From here:


looks like it either hasn't been tested in 10.4.10, or it's been patched
Well it has already been patched and it doesn't affect 10.3 downwards then this really is a non issue. However there might be useful information contained within it that apple could use to further lock down the system.
 

nbs2

macrumors 68030
Mar 31, 2004
2,713
485
A geographical oddity
it's awesome how a POC gets media attention, while 114,000 viruses last year for PCs gets nothing :rolleyes:
Or more likely - most PC users are already using various virus protection programs while OS X users go around nekkid. 1000 new viruses pop-up for the PC and most machines will be pretty safe. 1 new virus pops-up for OS X and how many of us will go down in flames - I know that I will.

What a POC does is remind people that there is a place for those protections on every system and the end-user needs to weigh the costs and benefits of running those apps.
 

Rodimus Prime

macrumors G4
Oct 9, 2006
10,136
4
from here



it's awesome how a POC gets media attention, while 114,000 viruses last year for PCs gets nothing :rolleyes:
of those 114,000 viruses how many where trogins (OSX is fairly easy to hit with a trojin since it uses user stupidity to get into the computer), how many where just variation of an older virus that been around for years.

And I would like to point out that when MSBlaster hit the web it used a security hole that was patch months before hand. If you haven't noticed Microsoft no longer release what holes it has patch because people where taking that information and figuring out how to exploit the hole that would be in an unpatched system.
 

Rodimus Prime

macrumors G4
Oct 9, 2006
10,136
4
My understanding is that the "researcher" hasn't proved the viability of the attack outside of his/her lab yet. Until he/she does, I'm inclined to think he/she's just blowing smoke.

I'm all for an OS X worm, who knows, maybe it'll quiet all the "OS X IS INVINCIBLE!" types and all the haters can stop thinking that every Mac user is a smug SOB.
here is my question. why would you want them to test it outside of the lab. The lab is self contained and will not let the worm get out in the open world. Once it gets out in the open it will spread very quickly and be impossible to contain.
 

AutumnSkyline

macrumors regular
Oct 5, 2006
219
0
it says 10.4.10 is vulnerable...

Vulnerable: Apple Mac OS X Server 10.4.10
Apple Mac OS X Server 10.4.9
Apple Mac OS X Server 10.4.8
Apple Mac OS X Server 10.4.7
Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X 10.4.10
Apple Mac OS X 10.4.9
Apple Mac OS X 10.4.8
Apple Mac OS X 10.4.7
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4

http://www.securityfocus.com/bid/24924
 

iToaster

macrumors 68000
May 3, 2007
1,742
0
In front of my MacBook Pro
Wow, it's about time, but it's all for good cause, he's giving it to Apple so they can fix the system. As for that one Apple fan boy... he's way too extreme... and foolish... and uninformed.
 

Stampyhead

macrumors 68020
Sep 3, 2004
2,294
30
London, UK
Or more likely - most PC users are already using various virus protection programs while OS X users go around nekkid. 1000 new viruses pop-up for the PC and most machines will be pretty safe. 1 new virus pops-up for OS X and how many of us will go down in flames - I know that I will.

What a POC does is remind people that there is a place for those protections on every system and the end-user needs to weigh the costs and benefits of running those apps.
Running currently existing virus protection programs on your Mac would be useless against this worm since it didn't exist when they were created.
 

zero2dash

macrumors 6502a
Jul 6, 2006
846
0
Fenton, MO
:D:D

It's actually an example of how insecure PC users can be about the whole virus issue, to the extent that they feel the need to write a worm/virus for other platforms because they're annoyed with how smug the users of other platforms are.
Being insecure has nothing to do with it.
Being sick of smug Mac users, absolutely. :p :D
 

nbs2

macrumors 68030
Mar 31, 2004
2,713
485
A geographical oddity
Running currently existing virus protection programs on your Mac would be useless against this worm since it didn't exist when they were created.
You're right - but the point is that under the current distribution system, if there was a worm, we would need Apple to release a specific patch for it and wait for people to get it from software update - not the best method for fire control. I have software update set to run weekly, so I wouldn't get it anyway for quite a while. Virus protection systems should catch unknowns more easily as a result of dedicated distribution systems and their inherent design is to look for things that look suspicious.

Am I saying that the worm would be stopped right away? No. Just that it might get caught, quarantined, and squashed a bit more quickly. Should people be running software from those companies? I say that the FUD they produce and performance hit outweighs the inherent security of OS X - so no. But, this POC is a reminder that we aren't invulnerable and we should at least remember that virus protection is out there.
 

Scarlet Fever

macrumors 68040
Original poster
Jul 22, 2005
3,265
0
Bookshop!
Most. Boring. Thread. Ever.
i do sincerely apologise. Next time I make a thread warning people of the inevitable security holes Mac OS X has, I'll also put a picture of some nice fluffy kittens or a link to a flash game, so you can continue to live in ignorance.

seriously mate, if you don't have anything remotely constructive to say, don't bother saying it. For a start, you could tell me why this is the most. boring. thread. ever.