Slashdot Mirror

Not the original poster, and it was a bit hard to find, but there's this: https://www.securemac.com/maco...

I remember a slashdot discussion about it years ago as well.

Ok, well now I remember it; but according to this article (and the comments following it), this is MUCH different than the Lollipop vulnerability:

1. It is only the SCREENSAVER-lock that is affected. The regular OS X Login Screen CANNOT be bypassed in this manner! BIG difference!

2. You must know the USERNAME of an ADMINISTRATOR Account; regular (non-Admin) Users CANNOT use this vulnerability to gain unlock the screensaver. Again, BIG Difference!

3. This has been fixed for aeons.

Not the original poster, and it was a bit hard to find, but there's this: https://www.securemac.com/maco...

I remember a slashdot discussion about it years ago as well.

Googling, I found this. It sounds like the screen lock vulnerability described.

The majority of Windows virii are detected by heuristic realtime scanners before being sent off to AV vendors for analysis. I'll quote myself:

Also, because OSX users don't typically run antivirus software and those who do typically don't run a realtime scanner with decent heuristics, it is possible (read: probable) that there are more OSX virii out there that we don't know about than there are that we do.

Further, the .THT is not a file extension, it is a malware class abbreviation; it identifies the malware as a Trojan Horse Threat (typically, a trojan would be marked with .TRJ, but some vendors use different terminology). You can read more on this specific thread here, including typical filenames used by this threat (which, by the way, do not have extensions) Since you've never heard of AppleScript.TrojanHorseThreat and it is still out there, with new infections being reported on a fairly regular basis, perhaps you should click that little link.

Or, stay ignorant and be taken by surprise; isn't that what you used to look down on us PC users for, until fairly recently?

Here are a few http://macscan.securemac.com/spyware-list/

Regardless of whether you have had or haven't had virus/spyware issues on OSX, when the CEO of the company that makes it advises you to use an actual AV, you probably should. Not to mention, if one OSX system on your network is compromised, all of them are likely to be so, or says a study posted not too long ago (can't find it atm).

The point it, you'd have to be bonehead stupid to nor protect yourself regardless of what OS you run on your systems.

Please stop drinking so much Kool-aid.

And if you are going to quote from Wikipedia articles, please take the time to understand a bit about those statistics.

OS X is exactly like Windows in as much as it presents, to a malware author, a single OS platform where you can pretty much guarantee that anything that runs on one OS X system will automatically run on another.

Linux does not offer the same kind of unified platform because there are that many different distros out there that the chances of finding an application that you can exploit that is running on most of those systems is much smaller. For example, let's take an SSH worm designed to attack a Linux system - that worm will only work if the system has an SSH server running that it can get to, is at a version which it can exploit and not at a later version where the exploit has been fixed, and it might also depend on the SSH server having been configured a certain way.

So, yes, it might gain entry into some systems but that's precisely why anyone with any intelligence on any OS updates it regularly, double checks how everything is configured and logs important activities on the system.

Quoting the number of instances of malware is irrelevant because any program that can do something not controlled by the user can be defined as malware - what's more important is how dangerous it is and how successful it's propagation has been in the wild - to my knowledge, no Linux malware has been a particularly great threat so far.

Ok ok, I just did a quick search. Here's a whole page of vulnerabilities. The point is that OSX, nor any platform, is completely without flaws and impossible to infect. As I'm sure several people have pointed out, as OSX becomes more prevalent, you'll see people working harder to develop malware. And no, I'm not a Windows fanboi. I have several computers with OSes ranging from XP to Haiku, including OSX. To say that a Mac is unable to get a virus is like Hitler saying his army didn't need cold weather gear in Siberia.

Does a trojan count?

securemac.com should probably be told that they are completely useless, as there is nothing for them to fight against.

Hahaha, yeah ok whatever. There are plenty of Unix/Linux daemons that only work if setuid/setgid, if there weren't the feature wouldn't be there. Oh and here's a quick example of how setuid bit early Mac OSX, that particular problem might now be fixed but don't act like Unix is some magic security land.

Zero exploits in the wild? The why does this website exist: http://www.securemac.com/ ? And why does it list trojans in the wild as recently as January 2008? Secunia lists numerous unpatched vulnerabilities for OS X as of this writing, some of which can be used for privilege escalation in a trojan horse. In fact, the only OS that comes to mind that has literally never had an exploit in the wild (or any really exploitable vulnerabilities in a real-world setup) is z/VM, IBM's mainframe OS.

There are also some virus checkers on OS X as well. Does that mean you think there are viruses too? Virus checkers on OS X exist to filter out windows viruses from being spread by shared documents.

Apple UK ads say there isnt any spyware... Yes there is and there are programs to deal with them such as intego's internet barrier, smithmicro's internet cleanup and securemac's MacScan antispyware..... Apple should face reality. they do the security updates...

In my high school computer lab they used a piece of software called FoolProof to lock down the Macs. Limiting where files could be saved, software from being installed, control panel settings from being changed, ect.

In my programming class we routinely had to have the instructor disable this software to test our applications. So I wrote a program that looked just like FoolProof. After entering the password, clicking okay, switching the software "Off" and closing the dialog box my program would wait ten seconds...then send the password to the printer.

At the end of class I handed the sheet of paper and a diskette containing my program to the instructor.

He was less than amused.
 

From this page at SANS. The link is to www.securemac.com. Feedback on both Versiontracker and MacUpdate suggests that the SecureMac application is at best, useless and at worst, dangerous. The hacked discussion board seems to be missing from their links now. :P

I still think the actual quote is extreme and alarmist, considering we are comparing a fixed vulnerability with thousands of known exploits. I am still unaware of a single remote exploit against OS X.

Anyway, this is going off the subject a bit. I still want to know why I should treat the SANS Institute as an authoritative source, given that I know nothing about them, can find out next to nothing about them, and I find some of their data questionable.

I'll add to that the number of self-proclaimed 'internet security experts' is legion, with most of them having their own agendas.

We've been hearing that for years now. Even when it does make its appearance, it won't solve all of Windows' problems.

So what if Microsoft did published the release date and then moved it with six months. Everything else has been speculation from people like you. Microsoft by during these years did show their system and it's development with their restarts and feature drop-outs. They have done most of things to keep us informed what's going to change with next windows. Remember windows95? Not until it was released people got known about it well.

They have keept the release date and I guess they will keep it since it's about time to new windows to show up soon.

Apple isn't the one who twisted the use of the term "PC" -- it's been that way for a long time. It's like the term "hacker" has been twisted. Sad, true, get used to it.

Some information for you. AppleII was sold as "home PC". By during these years, Apple has sold their computers as "home PCs" until they changed and started sold them as Macs. I recall that it was just before the modern Macs came to stores.
Maybe Apple didn't create that twist or they did... No one knows.

Virus makers don't target CPUs: they target operating systems. By your logic, Linux on Intel would also be a hi-security [sic] risk.

I ment here that PPC was a platform that does not interest any virus writers. Tell me honestly, how many PPCs there are against the Intel PCs out there in the world? I can't tell you nothing exept my best guess. I guess that there are 7:100 PPCs out there. This is my guess then. Now tell me, How many people who own the PPC are virus writers or have some interests to write viruses to PPCs? Got my point?

People who write viruses are running their system on most cases on Intel platform. Windows has lots of vulnerabilities. Not only because of it's history but also bad design choises have their effects. Windows also happens to be most used Intel platform operating system out there. It's very natural that virus writers do their stuff for it.

Mac is also a many ways similar to Windows. It's got so called legacy code base which has vulnerabilities like windows does. Like it was slashdotted weeks ago, OSX has vulnerabilities which in other Unixes where fixed like in 80's.

Mac can now be used on any Intel PC with some limitations thought unless it's a official Apple Intel Mac.

I'd expect more Mac viruses in future since Mac is vulneral to attacks. I'll expect more viruses and troijas for Mac platform with Apple market share rising. If Apple would have kept on PPC they could have kept the slogan: "There no known viruses for OSX".

Gnu/Linux doesn't interest virus writers at all. Why? It's the same as wrecking your own house for those people who are hackers and write viruses. People like kids doesn't know how to write or aren't interested writing viruses to Gnu/Linux. Crackers who write viruses for Gnu/Linux have noticed it much more harder to do it and it's spreading is offen stoped with allmost immidiate fixes. Also Linux doesn't have so called legacy codebase. Linux transforms it's shape like in everyday little by little.

But you are right that since Gnu/Linux operates also on x86, all Gnu/Linuxes running on x86 have higher change to got a virus than the linuxes which are running on other platforms.

Funny how that segues into my comment: you can count the number of Mac viruses on 1 hand. Also, there were/are PPC-Mac viruses, but, again, only a handful.

By reading http://www.securemac.com/ I know that there are no known PPC viruses for Mac. There are troijans but those aren't effected for many years anymore. And they effect on PPC Mac Internet Explorer in most cases. But there is at least one or two real Intel Mac viruses. It depends on who are you asking from...
For years Macs have had security problems which have been fixed not immidiedly but with time. In all peace. Why nobody haven't used these flavs before? I'd really like you to explain that.

The problem with Orbicule's approach is that their software can easily be removed by wiping the disk. Orbicule claims that setting a firmware password would help, but at least in PPC macs the OF password can be reset by changing the amount of RAM installed and then zapping PRAM three times, thus offering virtually no protection against thieves. It would be nice if unauthorised physical access to DIMM slots could be hardened somehow, so that complete disassembling of the laptop would be necessary to change the amount of RAM. That would hopefully make things complicated enough to get thieves to abandon the computer.

Apple's documentation does not explain the procedure for x86 Macs, so I don't know about those.

There was a great piece of software at macworld last week called MacScan. I believe they released there 2nd version of the software at Macworld. It is a anti spyware / keylooger / trojan program and they were giving demo's of certain malicious programs that are out there for mac, It was kindof scary.

You can find information about the software at: http://macscan.securemac.com./ I personally got a copy for myself as it seems there is more and more malicious code being written for the mac.

Apples OSes have one whole spyware scanning program http://macscan.securemac.com/. I'm not too sure if it actaully does anything.

Sir, as I formulate my reply I sit here typing at my iMac. You are right. Using this operating system has been one of the most secure experiences I have ever been privileged with. I am more satisfied with my Apple experiences than I have ever been with a Microsoft experience. I will not lie to you on that.

However, as an I.T. professional, I cannot overlook the security flaws that are out there. Think they don't exist? Look around, you'll find them.

You're right. Owning a Mac is probably the safest thing you can do as a computer user worried about their system's security. But it's not because a Mac is more secure by design. You and I have both read articles about Microsoft bashing Linux's security, and the Linux Community striking back. Let me tell you something; OS X is of close kin to any given Linux Distro. In fact, it shares a lot of similarities with Free BSD, and I assure you the Darwin Kernel is not flawless.

The reality is... Your Mac is more secure because you have a kindred community of macintosh users who would rather use their computers for computing. I suspect that the average Mac Programmer capable of writing a virus just doesn't care to. Which is why no one does. /shrug. What do I know, though?

... so they need to convince us there's a market.

Just like drug companies that release a cure for a disease you'd never heard of, just after 'credible' reports appear in the media showing that most of the poopulation suffer from it.

It's a scare tactic, pure and simple.

However, there is a small sting in the tail - Mac users have little to nothing to worry about today. Tomorrow may be another story entirely.

Just because a virus hasn't been written doesn't necessarily mean it's impossible to write one. There's a creeping feeling in the Mac world that we can't be touched by malware just because we're using Macs. That's a dangerous attitude in the long run.

Mac users need only take advantage of the built-in security, plus enable a few options.

The Firewall should be on by default, but clicking the 'Advanced' button reveals an option for stealth mode. That's always a good idea. In fact, while you're there, turn firewall logging on and come back to read the log in a week or two. That'll highlight any attempts at breaking in.

Keep the administrative account around, but use a non-admin one for day to day tasks. There's no reason not to, and it forces a password check before any files outside the user's directory are altered.

Turn off the option to open 'safe' files after downloading in Safari.

There's a guide from the US NSA out there somewhere that's heavy going, but shows what good security looks like. Read a site like http://www.securemac.com/ once in a while to pick up a few tips.

Mac users needn't be as worried as Windows users should be, but a few ounces of prevention still go a long way.

What are you talking about? OS X does have viruses, trojans, etc. Why do you think MAC takes such strides to protect itself. OS X also suffers from malware/spyware. Hell just read some of the news posts on Here

As for Unix/Linux - here is some articles you can check out Here

Maybe you should modify your sig?

MacScan does spyware removal, among other things. It doesn't appear to have been updated recently, and I've never needed to use it, but it does exist! (:

Disinformation by fanboys on slashdot is so amusing. By the way outlook stop recieving scripts attachments since 2002, you're 3 years behind the times. And btw, you can't access outlook address book with a script since outlook 2002. And if we are going to talk about servers, lets talk about windows server 2003. I like to see you remote a exploit a default installation of it. A since you are on the subject of market share, I can remember when apple had a decent market share. And I can remember having my mac plus(nvir),mac se/30(wdef), and even my mac 7200ppc infected by viruses. Hell one even came on the fricking the macworld CD. Those were the days, now apple's market share has dwindled, so have the virii. Haven't seen one since System 8.5, but thats what about time I picked up my first PC like many of my other fellow mac users. God I miss those days,my Hermes BBS and trolling on the PC bbs systems.

Here's a little bit of trivia, what was the first mac software to have malware/backdoor? Homer IRC client that came out back in 96.

9.17.2003 News New SSH Exploit (detailed here) affects Mac OS X granting the attacker access to the computer as root. This security issue is vulnerable in OpenSSH version prior to 3.7, and Mac OS X is currently only at OpenSSH 3.4. To protect yourself from being vulnerable to this security risk disable SSH access to your computer by accessing your Sharing Control Pane and make sure that Remote Login is disable. Or setup your firewall to restrict access to the SSH port to only allow trusted connections. We will update this issue when Apple releases a security update.

Directory Services - Mac OS X and Mac OS X Server contains a security hole in DirectoryServices which allows for escalation of privledges and denial of service attack which is fixed with the 10.2.5 update. DirectoryServices is part of the operating systems information services subsystem, and is launched at being setuid as root by default. Credit for this find goes to Dave G. as noted by Apple's security advisory

I agree that the site itself might not be the best, and is definitely not up to date. However, they give a lot of links (see for example this article from Bob LeVitus that gives other links), and as such, they can be a starting point for information. That's how I see it anyway.

that might help for general OS X security: http://www.securemac.com/

Other than that, starting off the install CD and resetting the password, as others mentioned before.

here ....

Unless the said virus/worm/compromise is using a remotely
exploitable buffer overlow or locally explotable programming
errors in say: apache , OpenSSL , or sudo
some times is even trivial for the attacker to
take over ....

Unless the said virus/worm/compromise is using a remotely
exploitable buffer overlow or locally explotable programming
errors in say: apache , OpenSSL , or sudo
some times is even trivial for the attacker to
take over ....

There are actually many security features Apple service packs address.
M$ also allows you to get the security fixes without the service packs. No, you don't need the SP to get the security patches. Nothing forces you to upgrade to the new SP. But if you do, you do get new features.
Granted more viruses are written for Windows and the alerts appear more on CNN when it concerns Windows, you might think Windows contains a lot more security holes. Don't get me wrong, I'm not saying M$ wrote windows very securely, but they do fix their stuff for free.

• Get real, folks, the PHB types have been taking note of all the security incidents in the open source world lately, and at this point you couldn't get them to touch anything "open source" with a ten foot pole.

This AdWare.

Why should venders fix this it an OS problem and Microsofts fault. Working around bugs only lead to more bugs and problems.

I agree absolutely. Letting any app call any function as described in the paper isn't a smart idea (I assume it predates multiple users in windows, but still...).

However Microsoft's advice is sound. Having setuid apps is always hairy - anyone remember Apple's moment of shame? There's a little bit of guilt on the vendor side, too.

Doesn't that mean that it can also be re-enabled in OpenFirmware But if they've got physical access to the machine, it's over pal.

Not necessarily.

Until you change their background, trash their home directory and fill their dock with millions of useless files.

Well sure, if that's what you had in mind.

Oh no, this never happens on OS X.

Cool Mac software that I found while looking for info: ssh and sftp for mac with SSH2 support. License? Well, there's a GNU head on the website :)

Look at Crypt using Blowfish and all that jazz.

Running Solaris as an Admin I have crypt encrypt some docs upon .login and upon .logout for some documents. Never tried it for OSX but I don't see how it should be any different other then it's going to pop up a GUI asking for your passwd.

Following the UNIX and Perl mantra, there is always another way of doing something...

You can do most of the above using a tool like Timbuktu, which allows remote use of a mac using the GUI; you can do most of what you want through that. A better way is to use the Remote Admin Extension, which allows you to administer MacOS (pre-X of course) through a telnet client. Most Mac webservers also have remote administration capabilities built in. I administered a headless Mac webserver for about 5 years using these tools (The OS was 7.1 and I was running Webstar 1.1; this stuff worked faithfully (though slowly) for a long time.

Of course, the real reason Macs are perceived as more secure is because fewer people have spent time hacking them, because there are fewer Macs. Every service you offer can be coded for the Mac, and many have been, but every service opens the potential for security risks. You can stay up to date on Mac security issues at http://securemac.com, among other sites.

Finally, you can always install linux on the Mac and do what you want, but that really doesn't answer your question.

Fear not! According to the securemac site and the macosxlabs site, just do the following:

Force Removing Password Protection

1) Add or remove DIMMs to change the total amount of RAM in the computer.

2) Then, the PRAM must be reset 3 times. (Command + Option + P + R).

I'm not sure if just removing the PRAM battery will also reset the PRAM or not in this case.

Is this secure? Well, it depends on your situation. If you are in a lab situation and you don't want the students booting off CDs, ZIPs, external hard drives, etc., for their hax0rish needs, then this works OK. It's easy to spot someone opening up a computer and swapping out ram, etc.

For your own machine? Probably more trouble than it's worth because it causes problems with firmware upgrades, etc. If someone has physical access to your machine, they can get the data off by using the above procedure or by the hard drive swapping someone else mentioned.

Bottom Line: If you have sensitive data on your machine, you should encrypt it even if you have OF password set. In general, if you let someone have physical access to a machine, assume they can get access to all the data on it.

That procedure will not change the Open Firmware. Obviously it is more obscure than you think! :)

Well, yes it will remove the password protection on Open Firmware. Have you tried it?
look here for some info.

It's why it's important to physicially secure lab machines that you're doing this with.

• a list of security patches and directions for patching;
  
• general directions for disabling FTP, HTTP, Telnet, SSH, and Appleshare (nice and simple for the non-techies);
  
• a security mailing list, with directions for verifying Apple's PGP signature; and
  
• links to three other relevant security sites (CERT, FIRST, and FreeBSD security).