Posted on 04/30/2005 1:52:59 PM PDT by Swordmaker
INCREASED MAC OS X HACKING ACTIVITY
Current Assessment: Hype
Current Assessment Date: 04/06/2005
Executive Summary:
The attention devoted to the non-existent Mac OS X malicious code "problem" during the past several days is not warranted. However, it is possible to configure or use a system running Mac OS X in such a way as to make it vulnerable to malicious attackers. Proper configuration and use is critical with all Internet-connected devices.
Threat: Low
Vulnerability Prevalence: Low
Cost: Medium
Details: The past several days have seen a rash of technology press stories regarding Mac OS X ("ten") malicious code (malcode) and hacking. The stories originated with a security vendor's threat report that mentioned a number of vulnerabilities in the OS as well as the potential of increased malcode development as OS X's adoption rate increases.
Despite the low threat rate of OS X vulnerabilities and the non-existence of OS X malcode in the wild, many of the press took this as an opportunity to write misleading stories about the "problem" of Mac OS X malcode.
The hysteria was exacerbated when a research group released a document about the potential future development of spyware for OS X. Despite the fact that OS X spyware is not widespread (some argue that it doesn't exist at all), several stories appeared about Mac OS X's spyware "problem".
When a vendor that manufactures accessories for Apple products challenged the general public (and in particular the company that released the threat report) to write a Mac OS X virus (offering a cash bounty for the winner), more misleading stories began to circulate.
The vendor withdrew the challenge upon realization that they were offering money in exchange for illegal activity.
While irrelevant stories about Mac OS X viruses and spyware occupied the front pages of technology news sites, systems running the operating system were being compromised; however, they were not being compromised by viruses and spyware.
A default Mac OS X install results in a system that is resistant to common remote attacks, but it is possible to make configuration changes to that default installation. Poor configuration and usage of Mac OS X can result in undesired remote system access.
Many recent reports of OS X compromises appeared to result from poor configuration of Apache (the web server included with OS X) or a non-upgraded and enabled awstats (a log file analyzer). Apache can be configured (for better or worse) via OS X's graphical interface, as can file sharing, anonymous FTP, and SSH. Weak passwords for SSH and other remote access services can and often do allow unwanted access to a computer. Disabling and not using Software Update can result in unpatched vulnerabilities. OS X's command line utility and Unix-based kernel allow even more opportunity for a user to make his or her computer an easy target for malicious attackers. Exploit code for Mac OS X is being developed on a regular basis to take advantage of poor configurations.
Since OS X runs on a Unix-based kernel, it may be susceptible to future attacks intended for other Unix-based systems. It will not be susceptible to all such attacks, however, due to differences in its operating system and hardware architecture. Those differences may also be used to refute the oversimplistic argument that an increase in the OS X installed base will translate to the same rate of malcode that other operating systems experience.
Mitigations:
Mac OS X's default security should not be loosened unless the user has a need that necessitates it and understands how to properly configure the desired service. Strong passwords should be used for system accounts (especially if they are remotely accessible). The root (superuser) account should not be enabled. Software Update should be used on a regular basis (preferably with automatic update on). The built-in firewall should be enabled with only necessary port traffic allowed. Home directories should be encrypted with FileVault, especially on multi-user systems.
While no OS X viruses have been found in the wild, rootkits and trojans have been developed that could be utilized to compromise a system; however, owner assistance (or physical access to the system) is necessary for those attacks to be successful. Users should not open unexpected email attachments or untrusted applications.
OS X users in a corporate environment should be encouraged to run antivirus software if there is a significant possibility that they may pass along macro or email-borne viruses to Windows-using colleagues. Subscribers to Apple's .mac service have free access to antivirus software. Before installing any software on a system, its resource use and impact on system stability should be evaluated against its usefulness.
OS X users should not become so smug as to reject the concept of viruses and worms existing for their chosen platform in the future. However, they are currently far more likely to become victims of malicious attackers due to poor system configuration and use than because they are not running antivirus and spyware protection software.
Nope, I'm saying all Mac using girls are pretty!
This widget exploit seems pretty serious. To sum up, Safari can be made to install widgets without prompting, the widget can make calls to the system, e.g. deleting your home directory, and you won't be warned that the widget contains code that makes system calls. And, there is no widget management or inspector utility. Seems like the same mistake that microsoft made with tying the browser too closely with the OS. On the plus side I would imagine that it would be pretty easy to fix these vulnerabilities and would expect an update to be available soon.
Not quite right. While everything you said is apparently true, there is one more step... after the widget is downloaded and installed in the Macintosh HD/Library/Widgets/ folder, the USER MUST drag it from the widgets dock and place it on the Dashboard for it to be invoked... and then agree to run it for the first time. Only then can its malicious intent be realized.
I'm glad to see the way this issue has turned out.
I'm also gratified to see general_re has taken a leading role in informing and helping the Mac community resolve what could be a serious problem in the future.
Thanks general!
I look forward to Apple resolving this one quickly. I don't think anything should be downloaded just by visiting a website - a warning pop-up should give the user control over all download scenarios.
Yeah, right. Since most Mac users are the uber-liberal-earthy-crunchy types, I'd guess that most of them don't bathe regularly, don't shave, etc... Definitely NOT pretty.
Welll then, looks like you should refrain from buying your own bull___t, now doesn't it?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.