Second OS X malware emerges, but risk is low

MacCentral ^ | Fri Feb 17, 4:28 PM ET | Peter Cohen - MacCentral

[Swordmaker]

A second piece of Mac OS X malware has emerged this week, though this one poses a very limited threat, thanks in part to Apple’s own response. Security software maker F-Secure Corp. describes Inqtana.A, a Java-based “proof of concept” worm that exploits a vulnerability in Bluetooth on some Macs that haven’t been updated with Panther and Tiger security patches.

The chances of Mac users actually being affected by Inqtana.A are remote, however — even F-Secure notes that it hasn’t seen the worm “in the wild.” What’s more, Inqtana.A has an internal counter that prevents its operation after February 24, 2006. And Apple has also patched the vulnerability in free system updates.

Bluetooth is a short-distance, low-speed wireless networking technology used to connect computers, printers, PDAs, smartphones and other devices — it’s become commonplace on the Mac in recent years.

Inqtana.A exploits a vulnerability called Bluetooth File and Object Exchange Directory Traversal: An infected machine could send an Object Exchange (OBEX) Push request to another system; if the user accepted the data transfer, Inqtana.A could then use the exploit to copy its files to start automatically on the next reboot. Once restarted, Inqtana.A could use the host machine to find other devices that accept OBEX Push transfers and try again.

The Directory Traversal exploit was documented in May, 2005. Apple Security Update 2005-006 for Mac OS X v10.3.9 and Mac OS X v10.4.1 closed the hole. Apple also integrated that security change into Mac OS X v10.4.1’s general release. F-Secure claims that Inqtana.A is specific to Mac OS X v10.4.

So presuming you’re up to date with Tiger and Panther system updates or security updates, you’ve nothing to worry about. What’s more, Bluetooth’s range is very limited — even in a worst-case scenario, you’d only need to be concerned if you were accepting files from other Bluetooth-equipped Macs that were within range (Bluetooth’s effective range is about 30 feet or so).

The existence of Inqtana.A elicited an “I told you so” from security software maker Symantec senior director Vincent Weafer.

“We have speculated that attackers would turn their attention to other platforms, and two back-to-back examples of malicious code targeting Macintosh OS X this week illustrates this emerging trend,” said Weafer in a statement.

Weafer advised diligence to Mac users, warning that Inqtana.A’s source code “could be easily modified by a future attacker to do damage.”

[Swordmaker]

More FUD being spread... this one is a proof of concept... loophole is already closed.

[Swordmaker]

Second Mac OS X exploit (really? No... it's not in the wild) revealed. This one is a proof of concept for an already closed loophole in Bluetooth.

PING!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

So presuming you’re up to date with Tiger and Panther system updates or security updates, you’ve nothing to worry about. What’s more, Bluetooth’s range is very limited — even in a worst-case scenario, you’d only need to be concerned if you were accepting files from other Bluetooth-equipped Macs that were within range (Bluetooth’s effective range is about 30 feet or so).

[Swordmaker]

According to KTWDallas, a poster on Yahoo, this is how this exploit has to work...

If a stranger shows up in your house with a laptop enabled with bluetooth and stands within 30 feet of your Panther/Tiger machine -- the machine on which you've been ignoring those "a new patch is available" messages for the past 2 years or so -- then this stranger tells you to accept his data transmission (and you do), then you'll have an infected machine...

which apparently will make you pick up your computer and go find another Mac user and stand within 30 feet of them...

...sounds like a lot of work to transmit a virus.

Too much work...

[Mr. Blonde]

I just didn't want you to be talking to yourself anymore :)

They are just dying to say I told you so, but until they can do better than this no one is going to care.

[Swordmaker]

I just didn't want you to be talking to yourself anymore :)

Well, so long as I don't answer myself, I must be OK.

[Bush2000]

First, did you bother to read the article? "The chances of Mac users actually being affected by Inqtana.A are remote, however." This isn't FUD. It's telling it like it is.

Second, you'd better get used to an increase in Mac OS X vulnerabilities. Obviously, hackers are starting to pay attention, so that means more malware being written to target the OS. But look on the bright side: Security will no doubt improve as a result -- and Mac disciples will get an opportunity to shelve their self-delusion over security invulnerability.

[Swordmaker]

First, did you bother to read the article?

Yes, Bush, I did read the article.. and it is FUD. The security problem has been long since patched, to be infected you would have to accept a file from an untrusted person within 30 feet (in reality, only about 20 feet), download it, give it permission to install, and then again give it permission to run for the first time. It is NOT news that a application file can be sent via Bluetooth... nor is it news that an application file can carry something malicious. That is called a Trojan and ANY system can be compromised by a user executing an application that has malicious intent hidden in it.

Both Inqtana.A and Leap.A are still subject to the built in protections that OS X and Apple have to remind users to stop and think before executing an application. Inqtana.A is just a little more obvious... an unknown server suddenly offers you a file over Bluetooth, something you have never encountered before, should you accept it? Should you install it? Should you execute it? If a user thinks that is safe, they deserve what they get.