OS X under attack
John McCormick
Published: 01 Mar 2006 13:55 GMT
Is it a Big Mac attack? Two new malware threats and a major security hole have plagued the supposedly secure OS in the past month, which should give Mac advocates pause — or at least send them scurrying to buy antivirus software. Details
In the past few weeks, Apple's Mac OS X has taken some very serious security hits, leading some of us professionally paranoid security types to wonder if we're finally seeing the long-expected surge of attacks on Apple systems. I never did buy into the theory that Apple's software was immune to malware or significant vulnerabilities — I've always figured that vandals attack the most obvious target, which is why Microsoft vulnerabilities are so often in the security headlines.
Apple's Mac OS X simply hasn't seen enough popularity to tempt cybervandals when Microsoft offered such a gigantic — and vulnerable — target. But, as users of Mozilla's Firefox have found, as a niche product gains market share, it simultaneously garners the interest of those who wish to show off or simply cause mischief.
And it looks like the month of February turned out to be very interesting for these people: two worms that targeted Mac OS X and a serious flaw in Mac OS X itself made headlines last month.
The first worm, dubbed Leap-A, spreads via Apple's iChat instant-messaging utility, and it only appears to affect Mac OS X 10.4 platform files. This malware is spreading in the wild, but initial infection rates appear to be very small.
According to Symantec's report, the name of iChat IM attachment is latestpics.gz, which has an apparent size of 2314.7 MB. If the attack is successful, the worm installs its components, deletes some files on the vulnerable system, and, unless it's an Intel-based computer, will attempt to spread. Symantec says that Intel-based systems are subject to damage from the worm but won't allow it to spread.
The second malware threat is actually only a test version or proof-of-concept worm known as Inqtana.A on almost all antivirus vendor lists. The worm uses a Bluetooth attack vector (input validation vulnerability) to spread. However, because it lacks an active payload, Inqtana.A is, as its author has made clear, more of a warning shot across the bow of Mac OS X users than a credible threat.
And if the first two worm threats weren't enough for February, a vulnerability in OS X has also surfaced. While this is probably a more serious blow to those who tout Apple's security superiority to Microsoft, the new remote code execution threat is quite reminiscent of all those Web site-based attacks that plague the Microsoft Windows and Internet Explorer world.
According to Symantec's report, this high-risk OS X archive metadata command execution vulnerability, discovered on February 21, affects those using Safari and Mail. Version 10.4.5 of Mac OS X and Mac OS X Server are definitely vulnerable, and earlier releases may also be susceptible.
Apple is reportedly working on a patch. Keep in an eye on Apple Security Updates for more information on upcoming patches.
The SANS Internet Storm Centre initially warned that this vulnerability could pose a serious threat. It later updated the initial warning to advise users that this vulnerability is a lot more dangerous than originally thought because merely shutting down Safari won't stop the attack. (See the initial Heise Online report for details about how Mail sometimes executes compressed files and metafile scripts without asking.)
As with the many similar Microsoft attacks, Mac users don't have to visit a malicious Web site to be subject to this threat — merely opening an email attachment is enough to trigger the attack. The latest reports say this is true even if you use Firefox to download the ZIP file. While Mozilla's Thunderbird email client does appear to immunise a system somewhat because it avoids the automatic execution of the infected file, that doesn't protect against user stupidity (such as opening attachments from strangers).
Final word
It's true that very few Apple worms are in existence. However, it's also unfortunately true that many Mac users feel such a sense of superiority to Microsoft users and invulnerability to threats that they often fail to take even the most elementary steps to protect their systems. What that means is that while many Windows users can laugh at the latest Microsoft worm announcement because we have solid firewall and antivirus protection, even a weak worm could spread like wildfire through largely unprotected Mac systems.
I have nothing against Apple, other than the old single-sourcing problem (which would bother anyone who used to be a purchasing agent for a computer-based company). But it's only fair to point out that Apple may not be prepared to step up quickly enough if cyber-vandals really turn their attention to Macs.
For years, Apple has gotten away with its stated policy: "Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." But I wonder just how long it can continue stonewalling as the platform comes under increasing threats. (You might almost call Apple's stand a bit Mickey Mouse — at least if you listen to Wall Street rumours that predict an Apple purchase of Disney.)
Did you find this article useful?
67 out of 131 people found this useful
- Share this article:
Full Talkback thread
5 comments
-
MOST OF THESE ARE SIMPLY PROOF O CONCEPT AND ARE N... Anonymous -
From using Safari over the past few days, we find... Anonymous
-
Professional?? What? You are the biggest idiot on... Jason Maddison
-
Proof of concept at the moment but these attacks w... Steve
-
I have been reading ZDNet news daily for the past... Anonymous
