Slashdot Mirror
Mac OS X Trojan Horse Infects MP3s
frequnkn writes "The Mac News Network reports that Intego has anounced an update to their anti-virus app for snagging the first Mac OS X Trojan horse, MP3Concept (MP3Virus.Gen), which exploits a weakness in Mac OS X where applications can appear to be other types of files."
In six years, Intego has made a name for itself in the Internet security and privacy market for Macintosh.
I always wonder where the sources are for the majority of viruses. It is quite ironic that a company selling you a fix happens to find the problem and releases the solution for the low price of 59.95. Yet a goggle and Symantec Security search didn't yield anything about MP3Virus.Gen. Hmmm - it's awfully nice they fixed this virus so fast.
I can stand that.
Does my speculation about the RIAA's involvement in the creation of an MP3 trojan put me in the tin foil hat crowd?
So what?
Mac OS X can have trojans. Mac OS X can have viruses. Mac OS X can have security issues.
It's just a lot harder to exploit all of these things on Mac OS X for numerous logistical, technical, and statistical reasons.
It is a real concept. There is an example of the trojan, or "virus" (sic), here: http://www.scoop.se/~blgl/virus.mp3.sit
However, it seems that this may be at best questionable, as the "proof of concept" is nothing more than a standalone CFM application that has been given a creator type of 'APPL' (recognized by Mac OS X as a Carbon application), but with the file extension '.mp3', the standard mp3 icon, and the contents of an mp3 (which Mac OS X displays to the user an mp3). While the file does indeed appear at first glance to be an ordinary mp3, what can admittedly be potentially dangerous, it is in fact an application.
Additionally, as a CFM application, the file needs to be transported in such a way as to keep the resource fork intact, massively reducing its utility.
I predict a future security update with disallow this behavior...
This does not change the fact that Mac OS X is fundamentally and philosophically far more secure than alternatives.
Big difference. People used to spread stuff under Windows by faking different extensions too.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
.. and I just bought a G4 PowerBook too!
That's it, I'm selling this, maybe I'll get one of those Sparc laptops instead..
- Cowboy
what, what?
That noise you heard was all the mac zealots falling of their soapboxes. ;-)
j/k, who loves ya baby!
Quidquid latine dictum sit, altum viditur
I thought in unix, everything was just a file!
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8 &oe=UTF-8&safe=off&frame=right&th=631707378ffe9292 &seekm=blgl-5D750C.02150821032004%40news.bahnhof.s e#link6
It appears that this is merely a proof of concept virus, hence, it is utterly benign. It was not made with any malicious intent, but to demonstrate one way that OS X could be exploited. The discussion group is concerned with making OS X more secure, not less.
Somehow, Intego got wind of it and blew it out of proportion, but I suppose it is theoretically possible that future viruses could be modeled on it. However I'm sure that Apple could, even more quickly, release a security update that fixes this.
I suppose I'll start to panic as soon as apple acknowledges it, rather than take the word of a company trying to sell me anti-virus software.
I'm switching to Windows!
What kind of OS X user would be caught dead using such ancient, PC-originated technology (and I use that term loosely) as an MP3?
It's bad enough that they'll be shunned by all their iPod-wearing, dual-CPU-owning, Mac cabal member friends, but now their computer get pwned? Talk about kicking them while they're down.
True story.
What this article doesn't mention is how (or if) the code gets around the normal OS X restrictions requiring that one enters an administrator's password. Even if applications can be hidden, I question the amount of damage they can do... Surely nobody will enter an admin password requested by an ".mp3" file.
Besides, this isn't a virus so much as a security flaw. Why pay $60 for software when Apple will surely release a patch soon?
Oh, and for all the PC assholes who are currently saying "In your face, mac zealots" or whatnot--nobody claims that OS X is bulletproof--no computer system is. Nevertheless, it seems to be a lot more secure than, say, Windows, which has security problems all of the time.
but has the Windows essence
It was just a matter of time before someone used it maliciously to confuse the line between instructions and data.
I can see the fnords!
Who said I was a windows fan?
Heh... Interesting that the first trojan horse/virus yet to be seen for OS X uniquely exploits the discordance between the "Classic" pre-OS X way of specifying file types (File Type/Creator metadata) and the new, inherited-from-Windows, file extension method.
.mp3 extension... the Finder thus displays an MP3 icon for it yet launches it as an application when the user double-clicks.
The basic gist of this trojan from what I've read so far (there is very little information aside from what Intego has on their own web site) is that it is a file with type AAPL (executable application) but with an
What this basically comes down to, then, is the Finder making the wrong decision as to how to present the file to the user. Specifically that it presents it in one way, but acts upon it (when double-clicked) in the other. Whether it should first obey the deprecated file type metadata or the file extension is left to be argued about... what's certain is that it should always behave with the file the same way it presents it. I predict a bug fix for this will be in OS X shortly.
No one ever said it was physically impossible for Mac OS X to have a trojan...the only thing that even MAKES this a "trojan" is the fact that the file can *appear* as an ordinary MP3. Writing an application that can be destructive is no difficult task; it's just that this can appear to be an MP3 due to a shortcoming in the way OS X displays and handles Carbon/CFM vs native file type information. A security update can easily fix the shortcoming. Still, 1 trojan vs. thousands? I'll take Mac OS X, thanks...
Somebody on macnn.com pointed out this: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8 &oe=UTF-8&safe=off&frame=right&th=631707378ffe9292 &seekm=blgl-5D750C.02150821032004%40news.bahnhof.s e#link6
I have my doubts about this trojan, as I opined on my website at destination-life.com, but there is one problem: this proof of concept at this link:
At Google Groups
I opened the file in BBEdit, and it appears that there is in fact executable code in the file, but it doesn't appear evident to me how the binary code would be executed if the audio file is opened inside of a music player.
Hopefully this ends up being a hoax, or at least some more details come out soon.
Thats an alternative for me.
All of the Linux and Windows people are going to say, "I told you so," about this little episode in security breaches. But, when microsoft has to release patches on a monthly basis. Linux, well, lets just talk about Windows right now... There are only 3% that use Mac, myself included, who cares if there is a trojan out for it. There are thousands out for Windows. 1 every few years is much much better than a few every day.
-- johntracy.com, because everybody else is wrong.
Once worked for a local mac service shop that sounded the red alert for a purported virus the owner dubbed "MySound". It turned out to be nothing more than a sound file installed by scanner software...He just ended up with egg on his face. Seemed like a quick way to sell more copies of AntiVirus if you ask me.
Is the file actually a bundle like every other app? ( you can view contents?) also then wouldn't it be easy to use a command line tool to search for such a folder structure within a .mp3 file?
...because a *nix fan wouldn't take a baseless jab at Mac OS X.
It's sure nice to hear about a fix at the same time as the bug... unlike MOST times, where you hear about a bug and then the fix is waaay later, later enough for every dolt to download the virus and infect their addressbook/shared playlist people/etc.
stuff |
Your mindless trolling would lead anyone to draw that assumption.
What's relevant here is now that this has exposure (and we all know that /. == exposure to those who matter), how quickly will Apple respond and rectify this by issuing a patch?
Here's wagering that they don't sit on it like M$ has been known to do, if not for any other reason that M$ has a far greater volume of virsus/trojan horses/etc. to deal with!
-Nanter
This is nothing new... people have been doing this for years on Windows. OS X lets you hide file extensions too, so MyMusic.mp3.app can show up as MyMusic.mp3. The article seems a little misleading at first -- the ID3 tag isn't executed, its a full fledged application that contains an MP3 file.
.mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.
It would take me about 15 minutes to write my own "trojan horse" of this nature... Don't make a big fuss over nothing.
From the MacNN article:
The company says that Mac OS X displays the icon of the MP3 file, with an
Sanity is not statistical.
We needed an OS X virus just to liven things up! The ratio of viruses in the wild to lab viruses leads one to believe that the Anti virus companies created some to keep them in business. The WildList should be enough to keep all the Antivirus companies on their toes now.
Have you Meta Moderated t
My personal opinion is that they are trying to sell software. It is just a proof that it can occur (and it can be done with media types other then mp3). My bet would be that Apple will have a Security update out very shortly (i would be <1wk)
The last big 'virus' scare for the mac was a number of years ago with the 'autostart worm'. As I understood it, it was an app that took advantage when you put a music cd in, it would automatically launch and play. The system was simply fooled into thinking the worm was a CD and not an application.
I have been surprised there haven't been more exploits using this method. I stick a music cd in any computer now (mac/win/*nix) and the OS launches and tries to play it.
Also, many windows install disks have the autoinstaller application which, I suppose, could be spoofed into launching automatically too, by a malicious code writer. It automatically launches simply by inserting a CD.
Am I correct in assuming all modern OS have some file validation routine to check these autostart/autolaunch applications?
Hey, leave comments about my mother out of this!
This virus sucks unless it has ogg support. Jeez! Mac OS X is so lame..
Actually, I was just making the point that mac zealots irritate the hell out of me - ITS NOT PERFECT.
I use doze/nix pretty much equally these days for your information.
But, call me a troll if you will, its not the point I intended to make.
OS X is fundamentally and philosophically far more secure
Whew! If only they could put Apple hubris behind their security, then they'd be totally safe.
what's a "resource fork intact" , btw?
Stop, take a deep breath. The rest of us know this is a BS proof of concept proggy. We know OS X is way more secure than the 'doze. We know your love for your OS is justified. It's more-or-less a weak /. article. It happens for the rest of us all the time. :)
All is well.
Haven't tried it, but I think the most this could do is take out the user's home folder and files, and set itself up to be run whenever the same user logs in. Without an admin password, the rest of the system (and the other users' files) are completely safe. A trojan like this can only spread by stupidity.
Surely nobody will enter an admin password requested by an ".mp3" file...
Sure they will -- just like people click "Yes" to ActiveX installers in Internet Explorer on Windows. Actually, from a social engineering point of view, how many people using MacOS X know that it could be fishy if an app is asking for an admin password? And given MacOS X's stellar security record, why fret that the asking app should not be asking for root access? (Maybe I cannot possibly understand this because I am a Windows user and this is a Mac thing???)
Deborked link
Trojans aren't new in the Mac world, of course. There have been viruses made for the original Mac OS, but very, very few in comparison to, say, MS-DOS and Windows: Approximately 50 Mac OS viruses compared to 20,000+ viruses and their ilk in the Windows world.
The method in which this trojan infects isn't new: Windows viruses often hide their true extension in the same way as this empty-payload Mac OS X trojan.
What is significant is what a payload-laden trojan could do the today's Mac OS world. As a tech, I get to see a fair audience of Macs in use and what software they use. The very concerning part is that very few (my estimate: less than 1 in 50) Macs use ANY kind of antivirus software.
Not that you can't find any: Aside from Intego (who make a fine firewall as well as their virus products), you can get Norton AntiVirus from Symantec and Virex from Network Associates. Yet, most of us don't own any AV software.
That's bad for two reasons. One: While most Windows malware we Mac users may receive by mail are harmless to our Mac OS X systems, we remain Typhoid Mary-esque carriers to other PCs. Two: Our complacency in saying that "Macs don't get viruses" does not ensure that we will not experience one later.
That "later" is now.
Further, the "security through obscurity" protection is gone with the move to OS X. It's just a UNIX OS now, no longer a relatively-closed OS, which means there are more people who are UNIX-savvy who can create malware than before. (Fortunately that also means there are plenty of Good Guys who can spot this stuff before Apple or AV vendors are made aware.)
While I doubt there will be lots of new Mac attacks soon, I would not wait until one shows up with a nasty payload. Buy some AV software and keep puttering along. I'm sure there's some ass out there with too much time on their hands who, like the guy who took the Word Macro "Concept" virus, added a payload and sent it on its way, who will love to make some pitiful Mac users suffer.
Also, consider creating a regular user account, which cannot install software. In the event that you do open something with a payload on that account, hopefully OS X's permissions will stop any attempts to change any file or program except those in that account's home folder. Thank God for the UNIX permissions system.
Vos teneo officium eram periculosus ut vos recipero is.
This would only work if the trojan could somehow learn your admin password, such as a key logger, and then trasnmit it to the outside. If you are using an app such as Little Snitch then you would be imediately alerted once this trojan tries to do this.
Give us back our trojans, silly Mac people! We don't steal your GUI, input devices or hot artist chick users, do we? ... Wait a sec...
Hate me!
You can write an applescript or any other app to do malicious things, then paste a new icon on it and change the extension. It's been done before. There was a Simpsons one floating around Hotline a couple years ago that would delete files when you launched it.
Are there any free AV programs (opensource would be nice) for MacOS X? I haven't had an AV installed on my PowerBook G4 (over a year) and never had infections. Maybe it is time for me to get an AV. I don't need an AV that runs in the background. I just want to scan and fix. Of course, update often.
Thank you in advance.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Have fun with your mind-boggling plethora of remote Windows exploits, and the fact that you can't even install Windows XP from scratch on a machine attached to a public network without having it insta-owned.
Can I do this on a Mac?
Actually, I was just making the point that mac zealots irritate the hell out of me - ITS NOT PERFECT.
A really original and insightful point that *nobody* has ever made on Slashdot before.
But, call me a troll if you will, its not the point I intended to make.
Troll, flamebait, redundant... any one of them would seem perfectly apt to me.
I love how everyone is pre-emptively trolling the PC users, who are supposed to troll about Mac viruses, yet no PC users are saying this. Why are Mac people so fervent and testy about this sort of thing?
o
( )
8===X===D
I want to delete my account but Slashdot doesn't allow it.
virus.mp3 version 1.0, Copyright 2004 by E. Cracker. All rights reserved.
t .dtd">
:)... Now to delete the file before I open it :P
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist SYSTEM "file://localhost/System/Library/DTDs/PropertyLis
<plist version="0.9">
<dict>
<key>CFBundleIdentifier</key>
<string>mp3.virus</string>
<key>CFBundleName</key>
<string>virus.mp3</string>
<key>CFBundleGetInfoString</key>
<string>virus.mp3 version 1.0, Copyright 2004 by E. Cracker. All rights reserved.</string>
<key>CFBundleShortVersionString</key>
<string>virus.mp3 version 1.0</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleSignature</key>
<string>vMP3</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>CFBundleDevelopmentRegion</key>
<string>English</string>
<key>CFBundleInfoDictionaryVersion</key&g t;
<string>6.0</string>
<key>LSPrefersCarbon</key>
<true/>
<key>CFBundleIconFile</key>
<string>128</string>
</dict>
</plist>
I thought it was pretty interesting
TheMadRedHatter
while(1)
{
}
Ah, the story of life.
Right, so now, check all of your new MP3s with an application like MP3 Rage, and when it barfs saying that it's not a proper MP3 file, throw it away. Nice and simple. This does sound like something that can be fixed at the system level pretty quickly, though.
Not that anyone's out there getting MP3 files from sources they can't trust or don't know anyway, riiiggghhht?
This is extremely similar to a recent Outlook vulnerability that was patched don't-know-when.
.exe. Boom.
So, what this Mac trojan does is to present itself with dual types, knowing that one (the file extension) will be presented to the user, and the other (type/creator metadata) to the operating system. The user sees a harmless file, and the operating system sees executable code.
The recent Outlook vulnerability did the same when rendering HTML mail; it used the MIME type to determine if to render, and the file extension to determine how to render. Thus, you would attach an executable (.exe) with MIME type image/jpeg, and reference it in a HTML mail. Outlook would try to render the image/jpeg, and called the shell for rendering the
So, this is nothing new, but I think we'll see more of this as complexity arises. It's not hard to make a complex system; it's hard to make a SIMPLE system.
On of the many woes of being a Mac user is that we do not have the multitude of viral applications that Windows users have. Now that we have our first trojan, we are on the path of being like Windows users. However, it is my fear like most Windows applications, we are going to have to wait months and months before we get our next one...
Strange women lying in ponds distributing swords is no basis for a system of government.
"It is quite ironic that a company selling you a fix happens to find the problem and releases the solution for the low price of 59.95. "
/Inigo Montoya ]
[ Inigo Montoya ]
I don't think that word means what you think it means.
[
That's not ironic. It may be, to tinfoil-hat-wearers, SUSPICIOUS, but it's not ironic at all.
I seem to recall an exploit where you sent Internet Explorer a file with a non-executable MIME type (thus getting by it's "don't open untrusted executables" restrictions) but a .exe extension (thus getting the system to open it by executing it).
I wouldn't be surprised to see the same thing happen to Linux. The most Unixy way of determining what files are is to actually look in them for a binary magic number or for ASCII keywords (like the "file" command does), but that's so much slower (for large groups of files) than just checking extensions that applications behave both ways.
It's obvious that this isn't a virus in the same sense that windows users are accustomed to (read: != outlook worm). It is, however, a good reminder for users everywhere that malicious code can still find its way into your hot little hands.
Dumb people will still double-click on anything in sight, until their screen/RAM is completely full, then reboot and start over. Maybe we should just hand out Etch-a-Sketch's and call them laptops, a-la Dilbert.
*shake-shake-shake*
-Foo
Very interesting - it does work, but only if opened from the finder or the like, e.g. if you open it in itunes or drag it, it plays the music, but not the executable
The Trojan description is:
1) Make a valid MP3 file
2) Make the beginning of the file a JMP instruction (assembly code) that tells it to jump to the point in the MP3 where the ID3 tag is stored.
3) Put a virus in the ID3 tag.
What's to prevent this from working on Windows? It's a brilliant, and scary plan... . It would be especially effective if linked on a website, as Windows accepts MIME-types first and extensions second now.
Mac Zealots piss you off? Oh WAH. PC users have gotten to have every damn thing their way for decades - eat me. You don't like Mac Zealots because you're scared to death one day PC users might have to go through the same kind of shit you've given Mac users forever. I can imagine that would strike fear into your ignorant, bigoted little heart. PCs are miserable pieces of shit.
sucks for all those people (me) who set their osxmachine to always stay root...im gonna go cry while i try to fix it, or perhaps i just wont download these so called "dirty MP3's".
From my read of their PR page about this, it sounds like something they entirely fabricated themselves to sell their software. There is nothing in the wild and no reports on respectable security sites, just Intego saying they "isolated" something and you should buy their FUD^H^H^Hproduct. As others have pointed out, a trojan is possible on any system if you can get the user to jump through elaborate enough hoops. So the next time you download an unknown MP3 (or whatever) file with an intact resource fork from an anonymous source and give it executable status so you can double-click it instead of just adding it to your iTunes library (or playing it in Finder with a single click in column view), be glad you also shelled out money to Intego so that you are protected from your own stupid and unnecessary actions! That it's come to this shows just how hard it is for anti-virus types to make money on the Mac.
??
How is this any different from someone releasing a Windows Virus with a boatload of file padding, naming it song.mp3.exe, and putting the Windows Media Player or Winamp file icon on it? Haven't we already been through this with viruses before? kournikova.jpg.scr and myparty.yahoo.com come immediately to mind...
Am I wrong? IS there somehow a discordance in the way OSX handles filename extension-typed files and Type/Creator-typed files? It just seems trivial and non-newsworthy to me. Apple can patch for this in no time; why pay $60?
--Jasin Natael
True science means that when you re-evaluate the evidence, you re-evaluate your faith.
Microsoft today palced a strange ad in the Seatle times classifieds. The ad called for programmers with mac experience who have no scruples about developing malicious software.
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
If you'd been a third-class citizen for decades, subjected to an endless stream of ignorant, childish humor and calculated insults, perhaps you'd understand. It's rare to find a PC user that has ANY understanding of Macs, let alone any compassion. Personally, I'm waiting for the day when I see M$ HQ get the pickup truck treatment. I'll dance on the ashes.
He never said they didn't. But that doesn't make cheating on one's partner okay.
And tomorrow the stock exchange will be the human race
You find it ironic that a problem is found by people who make their living looking for such problems???
I have a hard time seeing why the parent is flamebait, especially when given a smile.
He *is* right in that what you have here is an honest-to-God architectural security problem with the Mac OS. It isn't a coding bug or a stupid user -- Apple clearly defines how to determine file type in their specs, which will now need to be revised.
And I think he's pretty accurate in claiming that this *does* embarass a lot of people that were making semi-bogus security claims about the Mac OS.
Had he said "Yes, now we can all tell that Mac OS X security sucks", then sure, he'd be flamebait. But he was spot-on accurate in his statement. Modding him down because you don't like the truth of something he's saying is just silly -- a religion, a text editor, or a computing platform that cannot stand up for itself on its own merits should not have you trying to suppress valid criticisms of it. If it can, it doesn't *need* you trying to suppress valid criticisms, because those are minor compared to the benefits of the platform.
May we never see th
Here, I've got another proof of concept virus:
1. Write virus
2. Apply custom icon of an mp3 file
3...
4. $60 Profit
Rationality on slushdot is like a breath of fresh air in a roomfull of farts.
One virus or Trojan every three years? I can stand that.
Can you understand that past performance does not indicate future performance?
Also your sample size is questionable. Classic Mac OS' history is irrelevant to Mac OS X. Mac OS X is a far more interesting and potentially lucrative target. It combines a highly capable Unix environment (home turf/holy grail for hackers) with a usually unsophisticated (wrt security) users who have no admin to watch over them. This is only the beginning, get used to that.
ResEdit.
Is this rock and roll, or a form of state control?
Thanks, that's one of the funniest things I've read today.
Maybe you should read a bit more about the issues then. Try looking at the approach on terror, and Kerry's statements about treating counterterrrorism as primarily a police matter, which is the same approach used by Clinton (that set our embassies and the USS Cole up the bomb). It's really really hard to debate whether or not the economy is recovering right now - nobody knows until it actually has recovered fully. But if you put the economy ahead of national security, you'll lose both.
This trojan horse doesn't "infect MP3s", it masquerades as an MP3. It doesn't infect anything. That's why it's called a trojan horse and not a virus. Come on guys. Try reading the article for once.
A .Mac subscription comes with a free copy of Virex (McAfee) along with all the other free apps.
Personally I'm just going to download the Virex update when it becomes available, but since I've now gotten used to installing countless Security updates via OS X's Software Update app without hearing a whisper about any vulnerabilities I'm guessing Apple's ahead of the game.
Personally I like the fact that we now have a trojan - proves at least that we're not defended entirely by obscurity as some might suggest :)
Who double-clicks an MP3? You drag it into iTunes, duh.
That "later" is now.
No it isn't, where's the virus?
While I agree with you in principle on the complacency issue, I don't see any reason to go BUY some "AV" software. Especially if Apple can do an update patch for this "potential" problem.
I like microcars
April fools was a week ago!!
Apparently, you can't fucking count.
Apple still doesn't have a high enough market share in trojan horses.
"No one ever said it was physically impossible for Mac OS X to have a trojan"
Yes, they have, on several hundred occasions on Slashdot alone.
Would anyone like to admit to it now, or must we search the archives?
It's not that hard to admit that you're wrong, people.
Someone on /. commented that Windows users would be "silent carriers" of these infected files. But if it requires a resource fork, the Windows machines would have stripped them off. These files would only be viable if copied from HFS to HFS, right? Dropping these mp3s onto any other file system would effecively 'kill' them.
It should be noted that the would-be virus code is not executed by OS X when opened with an audio application. It skips over the JMP (or however they implemented the hack) and just plays the audio content.
If you throw virus.mp3 into your favorite p2p sharing system (or a web site, or most sharing methods other than AFP) the downloader will only get the data fork. That's why they had to put it in a .SIT archive first. Now you have to include code to rearchive the trojan before passing it on.
To do self-propagation right, go for pure data fork. Maybe AppleScript. A simple version would just read from AddressBook.app and spew to Mail.app. Bonus points if you detect/use other email clients too, including OS 8/9.
apart from the price, most people with any reason dont have a problem with macs.
many of the replies reinforce what DOES put us off the mac... its pissy chip-on-their-shoulder fanboy users.
Like I said, this is trivial and stupid... but I spent a few minutes and made a different version of this trojan. Check it out below, it "looks" like a jPG file (if you have "always show file extensions" off), but is really an application with an embedded JPG file which it open after printing some benign messages to the console.
.app package so it would be kind of hard to distribute it via a P2P mechanism or something, since it needs to be .zipped (or whatever) to transfer it as a single file.
It is
Anyway, check it out:
fakeJPGTrojan.zip
Sanity is not statistical.
You are correct. What kind of superpowers does your superhero have?
Tux? He can slide on his belly really fast. You think it's easy, you try it -- you'll get terrible burn.
I could never figure out why Jobs gets Mac users cheering him for the "Reality Distortion Field". It just confuses the *dickens* out of me. What you're saying is that he has personal marketing talent makes people forget reality and make poor decisions. That doesn't seem to be a *good* thing for one's platform -- honestly, it seems to be a rather *bad* thing. Wouldn't you rather, you know, say that people are buying and choosing the Mac for reality-connected reasons?
And the even weirder thing is that people are fans of Jobs *because* of this, and are *aware* of it. It's like saying "that Nike guy sure is good at suckering people into paying top dollar for Nikes" while flashing your new white Nikes at someone. It just doesn't make *sense* to me at all.
Personally, I don't like Jobs at all. If I had to choose someone at Apple to name a personal hero, it'd be Steve Wozniak. Woz is far more technically talented than Jobs -- Jobs did marketing, Woz was the engineering guy for the Apple I and much of the Apple II. Woz was a fan of expansion (and the reason there were a ton of expansion slots in the Apple II and why it was so hackable). Woz is friendly (not anal), a good engineer (not a good marketer), and left to help teach children how to user computers (Jobs ran out and played power politics in the tech industry.) Jobs was a die-hard opponent of expandability and user customization of systems -- he wanted to sell a single, packaged, product. The PDS slot (the only reason one can upgrade the processor on a large number of Macs instead of having to buy a new one) went into Macs after Jobs explicitly opposed it, and had to be slipped in under bogus pretenses. One of the biggest complaints from current non-Mac users about considering switching to the Mac is the lack of multiple buttons (especially irritating on laptops, where the only workaround is lugging around an external mouse). Jobs is the primary reason Apple refuses to move away from a single button mouse (even in a world where people are regularly exposed to at least two-button mice and where even Apple ships an OS with contextual menu support as standard). When Jobs came back from Pixar, he got most of the credit for brining Apple back to profitability, much of which he really didn't deserve (like the employment cuts). Jobs has always placed a low value on keeping his systems affordable, and was the reason that Apple's first Mac-like system, the Lisa, was so hideously overpriced. Jobs refused to put himself in a position for being responsible for what happened at Apple immediately after he came back, but still promoted himself heavily after ever gain Apple made (he wouldn't be regular CEO, but placed himself right up in the pole position for Apple visibility). He pushed his buddies from failing NeXT into power positions at Apple when he came back, and killed the Be deal (which would have given Apple a stable and powerful *IX-based OS years earlier, and a big head start over Microsoft on stability). Jobs doesn't, IMHO, really deserve the adoration that he gets -- he represents many of the bad things about Apple, and not the really good ones.
My only guess is that Mac folks want a hero, and Jobs is the most visible person (mostly due to his own efforts). The thing is that there are much more brilliant people involved with the design of Apple's systems that really have done amazing work -- look at, say Bill Atkinson, who did much of what made the Mac amazing -- the Mac's GUI design, QuickDraw, HyperCard, MacPaint, etc, or the Woz, who's just a brilliant engineer and all-around good guy.
May we never see th
This isn't the first Mac OS X virus in the wild. We caught one last year on an iMac. It actually erased everything on the entire drive.
OK, I won't. :)
I like microcars
oh, NO, script weasels have discovered the mac! and one of them actually downloaded some tips on programming one! we are all doomed, DOOMED!
guess I will have to click update on the antivirus package, then.
apparently nobody remembers the "brain" and "cascade" days when there was just as much shitware generated for classic macs as for MS-DOS boxes.
almost nap time. wake me up when virii, trojans, spam, flyers under the windshield wipers, rain on weekends, and allergies become urgent matters of national defence. I'll keep practicing safe hex and not opening unsolicited slop from electronic, as well as physical, sources that don't know me and propose to do abnormal things.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I agree. I like the new system a LOT more than the old PITA type and creator codes, that required ResEdit to fix. The OSX way is worlds better. It's not like there were no trojans for Classic MacOS, so it's really a straw man argument. The best defense in this case is that the resource fork will be removed if the MP3 is transferred naked (not in a compressed archive), rendering it non-functional as an executable application. When that happens, double-clicking on it will just launch iTunes, which will then choke on the garbled .mp3 file. I dunno about everyone else, but I sure as f**k ain't gonna download a .sit or .zip email attachment unless I'm expecting one from someone.
"I like systems, their application excepted", George Sand (French)
Quoteth the article: .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it. But double clicking the file launches the hidden code, which can damage or delete files on computers running Mac OS X, then iTunes to play the music contained in the file, to make users think that it is really an MP3 file . While the first versions of this Trojan horse that Intego has isolated are benign, this technique opens the door to more serious risks.
.mp3, .mpeg or .avi (or any similar media file) does not show a preview in the Finder's column view, I delete it for being corrupt or plain bogus. That, and I don't double click those files. I drag them to the corresponding player.
The company says that Mac OS X displays the icon of the MP3 file, with an
When a file pretending to be a
But of course I'm not sure that's how the majority of mac users do.
Maybe we deserve this world ?
One of the points I make is that Mac users were actually hit by the Sobig and Modoom virus(s) because they were email propogation worms - Macs get email .... so.... email was FAR exceeding normal SPAM the few days of propogation.
I also said that mac lovers bragging about no mac viruses may be asking for it to happen ... even prompting it.
Yell & scream & rant & rave... it's no use... you need a shaaaave ~ Bugs Bunny
... for an Ogg Vorbis compatible version of the trojan?
I noticed alot of people going on about, "I'll now be more suspicious of any mp3's I get like this", but what no one has mentioned is that it aint just mp3 files you could do this trick with, it is probably a wide array of file types.
This is a self launching application in sheeps clothing, who says it has to be an mp3 flavored one, and it doesn't have dependancy on the app to run, only that it be there.
Huh, use ogg and be free ;)
NO FAT CHICKS.
No, no, that wasn't a virus, just 10.3.2. (Note to would be flamers - I have a mac and love it!)
+4 Informative for five seconds worth of HTML code?
I wonder if the virus can progate as a shared iTune? So if someone on a corporate lan added that to their shared iTunes and someone played I wonder what would happen?
"With enough memory and hard drive space, anything in life is possible!"
Second, an OS X application is actually a directory with '.app' trailing the name. This is possibly the dumbest thing that I've ever seen Apple do recently. Not only is it cumbersome and extremely resource intensive, but it is a glaring security hazard.
A.) Apple didn't do it - NeXT did.
B.) How is this cumbersome?
C.) Resource intensive? Bollocks.
D.) Glaring security hazard? Bollocks again. Double bollocks.
I downloaded this sample virus and tried to open it, but Panther told me I didn't have permission to open it. So, unless you're logged as admin it looks like it ain't gonna work.
If I didn't have absolutely NOTHING to do, I wouldn't be here.
Indeed. It is just a way to sell software it seems. The file in question is a compressed CFM Application (it must be compressed or encoded in some way as the internet destroys the resource fork and makes this application nothing more than a tame MP3 file with laughter).
The cfrg resource gives the offset of the executable code in the data fork as 64 bytes with a length of 3215 bytes. Which is the exact length of the ID3 tag in question. So the application part is completely ignored by MP3 players and the MP3 part is completely ignored by the Application and OS.
The real question is why didn't the author just put all the executable code in the resource fork. The resource fork is required because the cfrg resource (among others) are required for OS X to launch CFM applications.
I wonder just how many people won't be confused when they see an mp3 file in a stuffit archive. How often do you download mp3s in compressed archives?
The file is a CFM application. As others have pointed out, this means that it has a resource fork which it needs in order to be able to run. Thus, it must be downloaded as a compressed file. If the resource fork is stripped, it is harmless, as the payload will never be executed.
Its name ends in ".mp3", and the included icon is copied from an iTunes MP3 file, but its type code is APPL, an application. The data fork is a valid MP3 with PowerPC executable code inside the ID3 tags. When given to iTunes or another MP3 player, it simply plays the included sounds without executing code. When double-clicked on from the Finder, the surrounding bits of MP3 file appear to be ignored and the code is executed. The payload for the proof-of-concept displays a dialog box, then tells iTunes to play the file itself, presumably via AppleScript.
When double-clicked, it shows up in the dock as an application, though this could be suppressed in an actual hostile trojan just like many utility programs do. In the Finder, if one is using column view, it is identified as an Application instead of an MP3 File, and its icon is shown instead of a QuickTime-style playback bar for previewing the contents.
In terms of an actual exploit, the only thing going on that is even possibly questionable at an OS level is the presence of other stuff in the data fork before the Joy!peffpwpc tag. I am not certain if this is allowed in the definition of what a PEF executable is supposed to look like. Aside from that, there is nothing else that is tricking the OS into doing something it shouldn't do, only legally included information that is deceptive to a user who is not looking carefully at things.
The same reason there is "N'Sync".
Who would want trojans or viruses like this to exist?
I wonder if it is RIAA behind it - they for sure would love if the people were suddenly too scared to download music illegally.
Another group that does get profit from this is the anti-virus companies. Since mac os x was practically virusless platform, not everybody urged to have an anti-virus program. I am sure the anti-virus program sales for macs go up this week.
in response to having their FairPlay DRM cracked
Actually it was the iTunes 2.01 installer or something like that. Google it.
No. But it is quite humorous that you believe all Virus Companies are devoid of malevolence.
BeOS virus ? Something to keep you awake at night... BeOS could also set arbitrary icons for files to disguise their real types. This problem is nothing new.
--
I romp with joy in the bookish dark
- Download file with a name like Yeah-Usher.mp3.sit with your favorite downloader.
- Decompress said StuffIt file. If you use Safari and have "Open "safe" files after download" or use Camino and have "Automatically open downloaded files" checked you can skip this step
- Open up the file in attempt to view/listen to it
- Suffer ill effects of worm
I'm not too worried even if a Security Update isn't released to fix the problem. I suppose a worm of this sort will affect the sort of people that open attachments from strangers and type in their administrators passwords despite warnings against such actions. For them there isn't much you can do except take their computer away.I'm a loner Dottie, a Rebel.
NeXT did it for a good reason:
.app directory so all the resources, bitmaps, and supporting files are in that one directory. That is why I can reinstall OS X and have MS Office X and all my other applications still work without reinstalling everything. I suppose they could still do fat binaries as well if they ever decided to do so.
NeXTSTEP ran on four different hardware platforms and had fat binaries. Within the foo.app directory, there'd be foo-moto, foo-386, foo-sparc, and foo-hpux binaries. The OS would then attempt to execute the appropriate binary for the hardware platform the OS was running on.
OS X uses the
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Check out the website, www.intego.com.
One of the lesser known new features about Gnome 2.6, is that nautilus will warn you if you try to perform the default action on a file if its extension and mime type dont match.
"The United States has no right, no desire, and no intention to impose our form of government on anyone else." - Bush 05
I have an extra user account for mucking around with programs I don't trust. Fast User Switching makes this relatively easy -- I guess if I was paranoid, I would use the dummy account more often.
How hard would it be for Apple to make it possible to log in as several users, but have those users' apps running on one screen? I.e., how hard would it be to implement Fast User Switching on a per-application basis (maybe with the user indicated in the upper right corner of the window)? Then if apps by default were launched by a low-security user, even this sort of trojan horse wouldn't be able to damage my important files.
If Apple did this, surely we OS X fans could claim it is inherently more secure (without getting shot).
no i think the mach-o objects (the code) is fat. one file contain the executable, while the directory contain all the datas... especially the interface definitions. in theory you could copy English.interface directory, cant remember the actual name and do the interface translation in the interface builder.
No, he's referring to Fahrenheit 451 -- you know, where the firemen are the ones starting the fires, not putting them out... Mix this with a little cut-throat capitalism, and you have a conspiracy theory (a damn good one at that)! :^)
Slashdot's first reaction to VMware
Average Windows users know command lines?! What kind of fucked up world do you live in?
The average Windows user doesn't know how to map a network drive; doesn't know how to properly unmount a USB Storage Device in Win2k; doesn't know how to CANCEL PRINT JOBS if there isn't an annoying window from the bullshit software that pops up when you print.
The average Windows user doesn't know how to format a disk; doesn't know how to look at a full mail header, doesn't know how to Mail Merge.
The average Windows user doesn't differentiate between hard disk and "memory"; doesn't know how to clear the Recent Documents; doesn't know how to change their password.
The average Windows user hasn't used net send, ping, or even winipcfg. They don't know where to change the resolution on their monitor; they only change the Background from a right-click menu in Internet Explorer.
They have never intentionally used an F-Key that wasn't modded to do something special on their multimedia keyboard. They have no idea that Ctrl-F6 will switch between panes, so you don't need to click back and forth when designing a table in Access.
They don't know that Print Screen copies their screen to the Clipboard. Hell, they don't know what the Clipboard is.
The average Windows user doesn't know what Temp files are; has no concept of file permissions, can't make a Pivot Table; doesn't know how to uninstall programs; Has at least two things in their system tray they can't identify; has never performed a full backup of their data; and certainly has never touched their Registry.
Even tech support often doesn't know enough about the command line, like using "~1" doesn't mean you don't need the extension, or that Program Folder 8.1.1 becomes Progra~1.1 or that you can type the whole damn thing in quotes.
Maybe ten years ago the average Windows user knew something about the command line, but not anymore.
Huh? I normally drag MP3 files to iTunes and then press the play button anyhow.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
On Windows we had Trojans of this level of complexity -- really little more complex or interesting than distributing an AOL password phisher as porn and/or a game -- ten years ago. This can effect anything from Palm OS up to a mainframe. It'd be something to be scared about if a worm came out for OS X that can infect without any user action.
... at least on classic mac OS, they always were apple-scriptable, built in. that's typing crap to do stuff, near as I can see. I always liked mine, never got a single cootieth. They existed, but I ran the net for many many years with classic, did what I wanted, never got owned or lost data, no firewall, no nuthin. Biggest problem I could consistently count on was netscape freezes. Dang I'll give that to anyone, it for-sure happened. If one learned to allocate correct memory to apps though, then there was no problem multi tasking with anything else. Switched to iCab when it came out, got rid of that browser borking the system syndrome, plus speeded up surfing considerable. Heck, I put iCab on an old quadra and that thing is a surfin machine, put it on a 280c, works great. iCab was years ahead of other browsers, IMO,for most features, so was soundjam, still my favorite tunes/streams player, always worked well, low foot print.. Installing apps, I mean, about as dang easy as it can get short of thought control. Still got my PB 1400, love it.
I mean, what is wrong with the concept of "just works"? I think it's a decent idea meself. Stuff SHOULD just work right from the git go the day you bring it home, then be customizable from there.
No idea on OSX, can't afford it, and switched to open source/free because after I was turned on to the philosophy of it,how cooperation makes better stuff, many hands make light work, etc, it made sense to me.
too bad apple never released classic as open source, just gave it away.
+5 Insightful Biologist.
The real poetry here is that you know everything there is to know about getting laid, except how it feels!
(Notice, I did not say irony, despite the popular perception of the meaning of that word.)
MacOS has always had a virus scanner, even though most viruses were for Windows. Disenfectant was written by John Norstad at Northwestern UNiversity. Great freeware app, and protected agasint all known mac viruses, of there were literally on the order of 20 or so (while there were thousands of Windows ones). The best part was the Monty Python foot that came down in the About Box.
This kind of reminds me of adding extensions to the resource fork of otherwise innocuous system files in system 7-9.
One April Fools Day I installed a completely juvenile little extension called "Mouseturds" on my roommate's computer. But inside of "Mouseturds" I inserted an extension that reversed all of the text in the system. Inside of another file in the system (I believe it was directly in the Finder), I installed a second instance of the text-flipping extension.
When he first started using his computer, all of the text looked normal, but his mouse kept doing this terribly juvenile thing. "Cute, really cute." He said, removing that extension. You can't imagine his befuddlement when upon rebooting all of his text was sdrawkcab, simply for having cleaned his system. In the next few hours he drew up all sorts of crazy theories about dependencies, mounting extensions from the trash can, automatically installing programs when something is removed, and a mythical hidden second system folder. I didn't have the heart to tell him to watch the extensions list on the startup screen more carefully, but I didn't have the jaw if he decided to start swinging. He was not at all amused.
Moral of the story: No one thing is ever one thing on an apple system.
Other moral of the story: Never take a smart-alec joker as a roommate.
The ______ Agenda
In NeXTStep V1.0( and I think 2.0), the entire application was stored in a Mach-O format file. Ultimately, there were resource issues involved in trying to keep the entire application and it's resources in a single Mach-O file, which resulted in this being splitup into a diretcory containing the resources, and the Mach-O file retaining the executable data required by the system loader.
That's not all that different from how classic Mac OS apps were stored in different resource areas of a file.
Because Microsoft Office (the mac port) adds the functionality of vbs-worms!
This comment does not represent the views or opinions of the user.
Huh? There's skepticism, and then there's blind faith. In computer security, events nearly always overtake corporate ability to respond. Better to be proactive, by using peer knowledge and review, than to wait upon Apple to acknowledge problems that will produce bad publicity for it.
Meanwhile, watch what mp3s you click on, my friend. ;-)
This has been mentioned here before, but people have seen other people,
1. Visiting a store with their iPod
2. Connecting iPod to Mac
3. Copying MSOffice.app to iPod
4. Disconnecting iPod and going home with pirated copy of MS Office for OS/X
"they could still do fat binaries as well if they ever decided to do so."
I remember having seen Apple-ications with Darwin PPC and Darwin i386 executables inside...
Considering OSX is based on Darwin, a BSD-derivative, didnt it have trojans that could work on it day 1?
(\_/)
(O.o) This is Bunny. Add Bunny to your signature
(> <) to help him achieve world domination.
The Intego Virus Barrier software just flags as "infected" any CFM executable whose name ends in a common file extension... which is why it STUPIDLY flagged as viruses the BMP, PCX and PNG plugins for Photoshop Elements. Which means it does not even check for a dot and something else before the file extension.
Proof (jpg)
Can you say "crappy" ? I'm sure you could.
Maybe we deserve this world ?
a couple things to consider...
it seems like mail.app is not fooled by this thing. Also, Get Info sees it as an application.
lastly, it has to be stuffed or its resource fork gets stripped and it's useless.
If this can only be executed by itunes then maybe it's not so bad after all.
I think they are bringing back fat binaries so that they can have 64-bit optimised apps for the G5 line that will work on the previous G4 and G3 generations without hassle.
Not sure if any of Apple's apps actually employ this yet.
I seem to recall that common Macintosh viruses were things like MDEF (menu definition) viruses or MBDF (menubar definition) viruses or WDEF (window definition) viruses. These are the names of certain kinds of code resources on Macintosh systems that could be used to define a custom look-and-feel in certain places where necessary. To hook up an MDEF virus and get it to execute, you would insert an MDEF resource into the program (*very* easy to do), and then modify one of the MENU resources to use that MDEF to draw itself. (similarly for MBARs with MBDFs and WINDs with WDEFs). There were also certain resource numbers you could choose to hide the corresponding system resources while running the program, and you wouldn't have to do anything else to change the program.
The reason is that there are viruses for MacOS X, despite the fact that mac idiots and slashdot monkies deny that. MacOS X is in fact less secure and as you see has critical design flaws. On Windows, clicking on an mp3 file will open it on windows media player. MacOS X users should switch to Windows.
The linked article (and most coverage of this trojan) is very misleading. This trojan does not delete files, propagate itself, or infect other files. The press release from Intego just says that a trojan like this could do those things. Read the press release for yourself.
Intego Press Release
The important thing to realize here is that Mac OS X, while very secure, is not perfect. And no matter what OS you are using, you should be very careful what you double click! Let's hope Apple nails this quickly!
Assume you are writing exploits; you probably want to be effective, thus something being able to infect 2/3 of the net is a lot more interesting then 1/5(?; what's the apple market share right now?). Many people look for/code exploits for win*,
thus a high percentage of (the many existing) bugs are found (and used).
The resource fork is not CFM-specific, and is not where metadata goes. Metadata, like the type and creator, are stored along with info like the filename. A file can have this metadata without having a resource fork.
A resource fork is used for extra data. Pre-OS X applications store dialogs, sounds, pictures, icons, strings, and even program code in the resource fork. All files on Mac OS X are capable of having resource forks, this is used by programs like BBEdit which store cursor & window position in the resource fork of text files you create.
Mac OS X is only capable of running one type of application binary, the Mach-O executable. When you run a CFM (Code Fragment Manager) application, launch services will run the 'LaunchCFMApp' program transparently. Normal CFM programs require a 'cfrg' resource in order to function, as well as a 'carb' resource to launch outside the Classic environment. CFM applications aren't necessarily Carbon, but that's by far the most common case.
The program isn't all that special. It has a custom icon, like every other application, but the icon looks like an MP3. If you transfer it without archiving it with Stuffit or MacBinary, the type & creator get killed (can't launch) and the resource fork goes away (no custom icon, can't launch). Since the data fork is a valid MP3 file, when you launch the stripped version it will open iTunes and play. You can also strip the file by going to the command line, and running 'cp virus.mp3 virus2.mp3'.
The 'cfrg' (Code FRaGment) resource is usually created automatically by development tools. It specifies where in the data fork the application code resides. So it's trivial to create an application that is also valid as a different kind of file.
I suspect it will catch the kind of people who put '.' in their $PATH, browse slashdot as root, and open email attachments in Microsoft Outlook.
Oh, and don't think that Mac users haven't had *problems* with viruses, as any Hypercard programmer will tell you (I hated MerryXmas virus).
But I can't be bothered.
You're an idiot.
Shouldn't you be wiping your hard drive and reinstalling Windows, instead of posting as an Anonymous Coward?
"The more corrupt the state, the more it legislates." - Tacitus
still apple's fault..
because they should have reviewed and remedied the code beforehand.
Having been raised on a Mac, I expect to be able to screw with the name all I want without the file magically changing type. The name of the file and its type are not the same information. Extensions are the lowest denominator solution, same reason people have to tar their sources before uploading -- to preserve the files' executable flags, which get stripped over HTTP.
Ideally, I would like my filesystem to know the MIME type of my files. Remember when you could look at a file you downloaded on a Mac, and you could get the URL it was from? Metadata is insanely useful.
Oh, and if you use a Mac to copy files to foreign file systems, the metadata and resource forks will be preserved (through extra hidden files).
Looks like they're another step towards being an actual computer. I joke!
Si tacuisses philosophus mansisses. If you had kept quiet, you would have remained a philosopher.
. . . just give us your credit card number and everything will be fine.
But seriously; they paint the situation much worse than it currently really is, because they want ordinary users to be frightened of getting a virus. And that's because people who are frightened of getting viruses buy anti-virus packages.
It looks like someone noticed a potential security flaw to do with the way MacOS X presents files and file types to the user. He asked around on a Mac programming group to make sure he wasn't being paranoid, people there confirmed it was possible and one even made a test case (totally benign - it runs code but does nothing else). Here's a link to that thread on google groups.
Intego caught wind of this, and immediately issued a press release describing how the sky is falling, noone can trust anything any more, claiming credit for the discovery, and by the way have you noticed we sell a product which will prevent infection? Buy it now!
yes, but david beckham is married to skeletor. it's only a matter of time before He Man finds out and fucks the bitch up. Therefore beckham should get some practice in before battle cat starts chewing on her.
http://www.lowendmac.com/lite/03/0813.html
Does anyone know if this 'Switchback' virus is real or not?
Men believe what they want. - Caesar
God, I wish fucking MS would get off their ass and make their shit secure...
errr...
shit.
-Mark
Dovie'andi se tovya sagain.
The .mp3 was just a proof of concept. Compression is how a lot of windows viruses in the loose work in very similar means now, as many mail servers now block file formats like .exe . Yes, most people won't be fooled by a .mp3.sit but what about something like a .doc.sit?
Marxism is the opiate of dumbasses
NeXTSTEP did not run on four different platforms. OPENSTEP might have - NeXTSTEP did not.
And they never used 'fat binaries'. Apple did, NeXT did not. The whole idea of subdirectories under 'Contents' such as 'MacOS' contravenes this - they had different directories for different binaries at best, but remember, NeXTSTEP did not use HFS+, they used UFS, so there was no way they could have made a fat binary anyway.
The directory as an app only means you have a different model for application development. They saw no reason to bake everything into the same file so you got things that were only accessible by products such as Resource Workshop and the like.
The presumption is as well that few standalones, even on other platforms, are true standalones, and so - especially with the NSBundle class at your service - you can create and manage a single self-contained entity.
Yes, you could have multiple binaries within foo.app; but these are not 'fat'; they're distributed into different subdirectories. Big difference.
Cocoa apps are a security hazard, but then so is X11. Cocoa apps can be compromised through their input managers, the Objective-C runtime, and the Apple services menu. Which is why no Cocoa app should ever run SUID root: anything invoked will be root too.
But that being said, Apple have about the most secure platform going today. SUID stuff is taken care of being the scenes by console apps which are much more difficult to compromise, and security awareness is very high.
If I were to put my money on exploiting either Cocoa or X11, I'd go with X11.
Try Suspicious or (sarcastically) coincidentally
5. Finding that the pirated copy does not work, because they do not have the 25 character product key that comes with the installation CD.
Each copy of Office has its own product ID embedded in the software, and the product key works only with the associated product ID, so the whole procedure would be an exercise in futility.
They would be more successful with shoplifting a MS Office software box from the store, but of course THAT WOULD BE STEALING.
(For those of you who can't tell, yes I am being sarcastic at the end there.)
Damn you, AC, for putting me in a position of defending MS
(which is why I am also posting as AC).
NS 3.3 ran on four platforms. That was the last version I used, and I distinctly remember it. There were even NeXTSTEP utilities that "thinned" out these fat applications and only left the thin executable you needed.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
You are correct. I downloaded a couple of these apps and checked them out. Though I could have sworn there were some with separate binaries, this was back in 1995, so my memory is hazy.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Nextstep did run on four platforms, and NeXT did use fat binaries. The binaries for the architectures were together in one MachO binary file, each in a different MachO segment. NeXT's fat binaries didn't use the resource fork like Apple's did.
.lproj directories for interfaces for different languages.
... [ ... [-create] [-thin arch_type] [-replace arch_type file- ... [-remove arch_type] ... [-extract arch_type] ... ... [-output output_file] [-segalign ...
Commandline programs, which have no directory bundle, could be fat, because the architectures were just concatenated. Mach just goes to the appropriate segment to find your computer's binary.
There was a tool called 'lipo' which was used to remove architectures from a binary, and otherwise manipulate them.
lipo as in liposuction, from 'fat binary'.
The directories you're thinking about are perhaps the different
lipo is still in OS X, apparently unchanged.
NAME
lipo - create or operate on fat files
SYNOPSIS
lipo [-info] [-detailed_info] [-arch arch_type input_file]
input_file]
name]
[-extract_family arch_type]
arch_type value]
The lipo command creates or operates on ``fat'' (multi-architecture)
files. It only ever produces one output file, and never alters the
input file. The operations that lipo performs are: listing the archi-
tecture types in a fat file; creating a single fat file from one or
more input files; thinning out a single fat file to one specified
architecture type; and extracting, replacing, and/or removing architec-
tures types from the input file to create a single new fat output file.
Someone should point out that the distinction that you're making is in name only. The actual codebase is the same, rebranded as "OPENSTEP" when they published their API for open implementation. For all non-marketroid intents and purposes, NeXTstep did run on four architectures. I had the pleasure of using it on i486, an HP "Gecko" PA-RISC workstation, and one of those noisy Tadpole SPARC laptops.
And although the code segments were not interleaved within the same file in the way that you're thinking, the actual term was "fat binary" both inside NeXT and within the user community. There was even a tool called "lipo" (as in liposuction) to strip out the architectures that you didn't need. It still lives in /usr/bin on MacOS X today.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Sorry to burst your bubble, but the whole 'app is really a directory' thing is a SOLUTION to the 'resource fork' storage problem. And it allows for cleanly implemented multi-platform 'fat' binaries. Apple's Classic fat binaries were kludgy, the CODE resource fork held the 68K binary and the data fork held the PowerPC binary, hardly extensible.
I've got an OSX install on purely UFS, and sure enough, it allows you to pack x86 and PPC binaries (or multiple PPC/X86 binaries, for optimization/bitness) into the same *.app so you can have one application file that executes on multiple architectures. It might not be Apple's hacked-up old kludgy way to get a 'fat binary' but it's effectively the same result but done MUCH cleaner and capable of living on many diverse file-systems.
Imagine how cool it would be to have ONE shared 'applications' folder mounted read-only on all your clients, the x86 clients execute the x86 code from camino.app and the PPC machines execute the PPC code from the same place. It would be an administrator's utopia!
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
NextStep ran on Motorola 68k (Next slab and cube), PA RISC (HP workstations), Sparc (Sun workstations), and Intel (specific PC's). Applications could be compiled fat on any of the four platforms and run on all four platforms with no modification.
jfs
The only thing worse than a Democrat is a Republican.
did not use HFS+, they used UFS, so there was no way they could have made a fat binary anyway.
MacOSX's partitioning tool has an option for UFS as well - you can install onto UFS (though with certain limitations).
in any case, the point of a fat binary isn't defeated by the filesystem issue. if I had i386 code in one section and a PPC code in another in my app directory, obviously I'm only going to be running one of those on any one machine, right? I'm happily cross-compiling apps for different architectures without HFS+ support here on my Mac, it doesnt' hurt that I can't run the app or whatever as long as my filesystem can store it and then ssh it somewhere else.
but the point of "fat" distribs/packages is convenience on the part of the guys releasing the packages ("just click here!" as opposed to "click here if you are using X, there if Y, how do I tell if I am using X or Y?") AND the end users (in not having to worry about which link to click to download), at the cost of being a bit wasteful of space, but in these multi-GB HDD days it doesn't matter.
You can also have tuned code for specific processors. For example, executable code that was compiled with the best G4-tuning flags. And another executable with the best G5-tuning flags.
The loader could then pick up the most suitable executable without the programs intervention. Not too unlike how the OS X language setting affects which unicode strings are used.
Geez. It's the first MacOS X trojan.
Okay, it's not a Beethoven symphony. So what? It's a landmark, a milestone. It deserves mention.
-fred
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
...on Windows... I pre-ordered the port once I heard about it...
Now if only Duke Nukem Forever would drop...
We apologise for the fault in this post. Those responsible have been sacked. -- Signed RICHARD M. NIXON
This trojan was a proof of concept.
:
Why not also build a proof of concept trojan.
The exploit behind the trojan is quite simple, and a generic heuristics detection tool is easily made
- If file is an application, but has a name ending with a typical data extension : +1 warning point.
(Almost the same anti-trojan-mail filter concept as ".jpg.pif" on PC).
- If app's icon is the same as the datatype the app is trying to impersonate : +1 warning point
- If app folder contains data of the same type that the app is trying to impersonate : +1 warning point
This heuristic tool can be easily made open-source. Proving that you don't need to pay huge $50+ bill, just to be protected against some script kiddie's crap.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
From what I've read so-far, this is not a virus or a trojan horse at all. It's a concept of social engineering. The idea is that you can make an attachment look like one thing and be another.
A virus spreads without your intervention - AFAIK this doesn't.
A trojan horse pretends to do one thing while doing another - AFAIK this doesn't.
I know, right now some of you are jumping up and down and getting ready - or have already - hit the reply button and have all manner of argument.
Let me point this out:
A trojan horse pretends to *do* one thing while *doing* another. This doesn't pretend to be an MP3 file - it just looks like one - nor from what I read is it actually playable in iTunes - so it's not an MP3 - it's an application.
Also it doesn't spread by itself - though it conceivably mails copies of itself to others if you launched it, so it's not a virus.
Back to my original statement:
So.Hope you've stopped being huffy, and got to this part - what do you do about it? For starters, don't launch things you get from people you don't know or don't expect.
Second, don't launch things you get from people you don't know or don't expect.
From my perspective this is just an attempt to create a marketing need for anti-virus software for the Macintosh.
Here endeth the lesson....
(PS. I've you've got something to rebuke the above, I'm all ears - I don't profess to know everything about everything, but I'll confess I know a lot about a great many things to do with computing - hint: I've been doing this for a few years :-)
(Second hint: My first computer was a Commodore Vic-20)
|>>?
Perhaps you should reconsider your unsafe habits or set up an untrusted account for testing software then... If you download a malicious executable, no 'anti-virus' program is going to stop it damaging your system when you run it.
you had me at #!
So the .mp3 file has to be zipped up in order for this exploit to work properly, yes? At first I thought this wasn't a problem. But then again, those zipped-up and password-protected windows viruses of late didn't save the lusers who opened them, did it?
.mp3's on the server? And only allow .zip or .txt or .sit for file storage? A little disclaimer...
.mp3! Sorry but my provider doesn't allow .mp3 extensions, just unzip and open after downloading, thanks! ...and you've just infected a slew of people.
And then I thought of something else. What about free webhosting places that don't allow you to store
Download the newest Britney Spears
GIR: I'm going to sing the Doom song now. Doom doom doom doom doom doom de-doom doom doom doom doom doom doom...
Someone's pissed off. And Bothered. And looking stupid.
My entertainment is Mac users bashing Windows.
I don't know if it has been mentioned (I only read about half the posts) but this isn't an OS X Trojan. Instead it is an iTunes Trojan; OS X identifies it as a application, which means it isn't it's fault. It won't let you choose what application you open it with, and any program can run the mp3 stream (Real included) however only iTunes does anything.
Well, at least it looks like the PC virus : OS X virus ratio can finally be defined! ;-)
(Think division by zero.)
Man, I donno whether you do ironic post or not... I will send personal "thank you" to them. To intego
;)
Virusbarrier found that damn thing yesterday, on my Acrobat 5 (for OS9!), it said "mp3virus.gen", I check web, NOTHING. Just few hoaxes.
Now they deserved my 60 dollars (or 50, I don't remember).
That virus can infect OS 9 files too, if not pointed out.
Yes I am happy I got virused! So, my 50 bucks weren't for nothing
A simple fix from Apple. Just force every application that is 'first-run' to create a "preference" file or log file that forces the user to enter an admin password. Of course there should be an obligatory warning, but that would eliminate all trojans that pose as files. Still nothing much would be done about malicious apps though.
Really?
I try to be calm as I know Unsanity, friendly people...
So, how that "hoax" or "ploy" made my 40mb TIFF files which are personal photos, hand edited/restored 0 BYTES?!?!
Now restoring all from CD-RW hoping damn CD-RW isn't broken.
You people are amazing. You know the earliest days of NexT, know HFS+ internals which, me, a 6 months convert doesn't... Yet you can't guess an OS, in news EVERYDAY (how secure etc) will call Virus/Trojan coder lamers like MAGNET.
There, at least backup cd-rw can be read...
I am staying away from this article and comments until I find a way to ignore people who shoots MESSENGER...
1) That virus exists
2) That virus works (my personal files are 0bytes now, restoring)
3) Secure your home directory, maybe it can help until Symantec or Intego releases a fixer utility (filevault thing in Panther prefs)
4) backup
5) Don't pirate AV on Firewall like security software. Probably that asshole released trojaned versions on gnutella too...
6) Profit!!!
(That 6 is a joke but its amazing a company, coding for macs for years gets BLAMED for finding an OSX virus and trying to sell products)
If they have the disposible income to spend on an ipod, couldn't they buy office with the moeny under their couch?
Am I the only one who would be extremely suspicious when seeing an mp3 that is zipped or stuffed? As this totally doesn't make sense I already would anticipate an exploit of some sort.
Just in case anybody forgot: This so-called "security flaw" has been present in the Mac OS for over ten years.
If nobody developed a real virus exploiting this "flaw" until now, I feel reasonably safe to assume that there won't be a virus exploiting this "flaw" anytime soon.
Oh yeah, and congrats to Intego for finding this "flaw" in less than 8 years (the company was founded in 1997)! I just hope they act faster if there is a real threat.
Arne
Like some other have pointed out it doesn't reside in the ID3 tag but in the ressource fork of the file. The file therefore needs to be transfered in a way that doesn't damage the ressource fork (most type of transfer will except for macbinary or binhex), greatly reducing the chances that it infects an osX box.
n fo/macosx/ 16168
The fix for this virus will be very simple, all your mp3 files going to a ressource fork filter, the ressource fork being optionnal in osX and being mainly maintained for backward compatibility with os9 it is hardly a problem.
Apple could even include this in the finder or as an internet helper library, every media files downloaded of the net get instantly striped out of their ressource fork, problem solved.
Until then, please, lady and gentlemen, give a warm wlecome to:
GrimRipperCM, the ressource fork deleter!
http://www.versiontracker.com/dyn/morei
PLEASE REMOVE ANY SPACE CONTAINED IN THE LINK
[thin foil hat]
Anyway it was about time anti-virus software companies and mac security firm (hint hint) got something to brag about to justify their need, cause as of now, job must have been slow for them... plus Apple now finally has a good reason to definitely get rid of ressource forks...
[/thin foil hat]
Meta-data is the answer yes, but it needs to be implemented in a way that doesn't break existing systems *and* follows the file when it crosses OS boundaries. Resource forks failed for this reason, and caused no end of pain when exchanging files with other systems (I say this because I've used Mac OS 8-X for my work for the last 8 years). As it is macs sometimes pollute servers at the moment with .DS_Store files which aren't hidden (perhaps they've fixed this).
In the best of all possible words files would all be folders/bundles (as in many apps on Mac OS X) - that way you could have whatever OS-specific meta-data you wanted within the bundle (though hopefully everyone could standardize on common ones like mime-types). You could just have a structure like this
"mypicture" (bundle)
"metadata.xml" ( xml file with tags)
mypicture.jpg (file with name referenced in metadata.xml)
Resources (optional folder with embedded files)
People with operating systems that didn't conform would instead see the files within a folder, so it'd still be accessible for them.
This would also have the benefit of allowing html pages to be saved with resources (jpegs etc) inside the package (bit like MHTML but more general), and many other types of files which refer to external resources (eg pdfs or word docs) could save the external resource untouched inside the package instead of trying to wrap them and making them inaccessible to other programs.
Unfortunately this will probably never happen.
Does sound really useful. That's why people have been doing it for years out of AFS with @sys...
This was published just a few hours ago :o sx/ 23054
http://www.versiontracker.com/dyn/moreinfo/mac
It's a small tool that takes care of the problem. So why pay for it..
Okay but that is not really necessary on Darwin anyway because it uses Mach-O instead of something like ELF (most modern UNIX-likes) or XCOFF (basically what the PPC data fork code really was prior to MacOS X) and this allows the same binary FILE to have copies for various architectures in it. Check out:
This came from NeXT too. WhatDid you know about the ARCH variable and the automounter? Do a man automount on solaris say. This is how you can create a map in NIS for /foosw say, where /foosw/bin is different for sparc and x86 while /foosw/include are the same say. Then you have dirs like /export/foosw/bin-x86, /export/foosw/bin-sparc, /export/foosw/include (or you may like to use a structure like /export/foosw/x86/ and /export/foosw/sparc/ with symlinks pointing up a dir for common stuff) which you export over NFS. On solaris check-out isaexec,
isalist, and friends to see how to have different optimized verions of the same binary. (The trick there is with subdirs like sparcv9 etc.) Each other OS (and sometimes it is a compiler-toolchain provided trick) handles this in its own way. You can even have optimized dynamic libraries, in elf just link with the appropriate -R options creating special dirs for the different targets. In solaris you may be able to be even more nifty about this all. Do this sometime on a recent solaris box:
Take a look at AT_SUN_PLATFORM. Now do:Take a look at and this should give you an idea of how to do something similar.Anyway, the thing you wish for has been solved a long time ago, and in a more clean fashion, without resorting to treating applications like directories.
Not sure where I called it a hoax. The PR itself says it is benign. It cannot spread. It has to be compressed... It is basically harmless (as harmless as an applescript or any other program that does this or working in the finder). My biggest problem is with the title of this /. story. It implies this is an exploit in in the MP3 engines or in iTunes itself. It is neither. Just a clever use of the cfrg resource.
Where's Rob Rosenberger when we need him? Somebody buy him a Mac!
Someone has created an app to address this shortcoming in OS X: http://www.versiontracker.com/dyn/moreinfo/macosx/ 23054
CVb
free ipod and free gmail!
Well as you probably read, as a guy not having a single p2p app or a mp3 file, I lost my files.
It must be clever but its not just mp3 imho, it must have infected at least 1 program.
Not a hoax for sure, I see 0 byte TIFF files here.
I meant that. Cfrg resource, whatever that is. deleted all my personal files and with big chance I had backups.
I call PEBCAK.
A few key points are worth noting :
.sit file or something ) or it'd lose it's resource fork, which is where the executable is. It's essentially an OS 9 virus that works on OS X because of support for Classic and Carbon applications.
.app, by setting it's OS 9 file type to "APPL". I'm further driven to my conviction that Carbon applications are slightly evil, even if they're a necessary evil. Of course, I suppose the flip side of that argument could be made; if the Finder favored the file type over the extension in showing the user what the file is, you'd know it's an application. I'm willing to bet some future update to OS X changes the Finder to do just that, especially since that's what the Finder already does in Get Info and file preview, and is also what Mail.app does. Hmmm... maybe we should all file a bug report against Finder ?
.jpg or other file extension. It's also exactly the same in most respects as any OS 9 virus, and thus not terribly new.
1) it's a 'proof-of-concept' virus, meaning that Intego wrote it for the express purpose of selling their product. No OS X user has ever had a single virus or trojan *unwillingly* infect their computer, as of the date this email is written. Not bad for 3 years and an install base of 50 million. Having said that, this doesn't mean we should all just double-click on any random file without a care; that would have been a poor practice under OS 9, and it still isn't a good idea.
2) If you get the trojan MP3 file in mail, it's correctly identified as an application. The downside is of course that many users seem to have no problem launching some random executable file, but basically this means that the main method of transmitting this trojan is somewhat blocked. Sure, you could get it via P2P, but it'd have to be an archive, not an MP3 file, which should set of alarm bells if you have an ounce of computer knowledge or even P2P experience.
3) The file is also correctly identified as an application if you look at the "preview" of it. So if you have the default columns view in Finder, you're likely to notice that it's an application. You'll also notice it's an application if you 'Get Info', not that you're too likely to do that.
4) You'd have to get the file in an archive ( like a
This works, essentially, because of OS 9 support, which allows something to be an application even though it has a different file name extension from
I don't want to verify this claim, but at least one user is reporting that they can't launch the proof-of-concept virus since they're not running an administrator account. I'm not sure I see why not, but it's possible that this is true, especially depending on how you set up the user's account. I suppose having your admin account *not* as your main account is probably a good idea if you're paranoid about security, in *any* event.
In the final analysis, this is exactly the same type of social-engineering exploit we're used to seeing in Windows-based email-attachment trojans: a file which is actually an executable hides it's true nature by using a
This is perhaps a nice wake-up call to OS X users not to just blindly click on any random file, though... and yes, it's a real problem. A malicious application can be written for almost anything the executes code, including OS X and your cell phone- that's a reality.
Is it my imagination, or can you do the exact same thing as this virus by just writing an application that does the same thing and then giving it a custom icon that mimics the mp3 icon? It's not like the finder doesn't correctly identify the file as an application in the preview pane or list view....
I don't see what the big deal is.
This is basically how most NeXT installations worked.
/LocalApps, which would be fat binaries on an NFS server. User directories would also be mounted from an NFS server.
Shared applications were in
It's pretty nice when you can move from your regular NeXTSTEP PC in one building, to a NeXT computer or NeXTSTEP HP RISC box in another building, log in, and get your same exact environment, with the different hardware architecture making no difference whatsoever.
I agree, it's as cumbersome as windows autorun for cds. And probably just as easy to disable
C.) Resource intensive? Bollocks.
I have to agree, 'if right(path, 4) = ".app" then' is not exactly what i'd call a resource hog
D.) Glaring security hazard? Bollocks again. Double bollocks.
Again I must agree, security hazards are only hazards when the user doesn't know about them. And considering that I dont own a mac and I know about .app, then everyone should know
Everyone knows OS X is by far the most secure mainstream desktop OS available right now. However, this should serve as a wake up call to all OS X users, especially those who are ignorant enough to believe they are completely protected from the dangers of computer viruses. It would be extremely simple to code a basic apple script that upon execution could spread to other systems via email, and completely destroy all data within the users home directory. It could also delete many application files or certain system settings depending upon the level of the compromised user account. Of course the user has to be tricked into opening in it, but that proves not to be a daunting task, at least based upon the recent wave of windows viruses that have been sweeping across the net. That being said, the total affect such a virus could have on a system and/or the net would be insignificant relative to a compromised windows box.
uhm you are, unfortunately, entirely wrong and have been misled by Intego. 1>Their algorithm falsely marks as positive any CFM executable file with a document extension - in this case it's a plugin for Acrobat 5. (see this slashdot post) http://apple.slashdot.org/comments.pl?sid=103394&c id=8809962
2>"mp3virus.gen" does not exist in the wild, and was only discussed as a concept on a security mailing list a few weeks ago, so it's not even likely that you could be 'infected'.
3>It's a trojan so you would have had to download a stuffed archive of an MP3 from someplace and double click on that in the finder to get it - surely you would remember doing this?
'Virused' is not a verb, thank goodness. You could use infected, if you had a virus, and if this was even a virus and not a trojan. I hate to break it to you, but your 50 bucks were indeed spent for nothing.
This has been the second security flaw ever since OSX came out to my knowledge. How many has XP had? Like 236 or something?
And some people are linking this to Quicktime and not OSX itself.
If anything, this is just gonna make a bunch of Windows Fanboys even more Fanboish.
$>man woman
$>Segmentation fault (core dumped)
heh heh. 0 byte tiff files. What did you download and run that you gave you 0 byte tiff files then?
There is no virus, there is a trojan, a proof of concept trojan (which does nothing) at that. What exactly did you download? What exactly was deleted?
You're a bit short on details here, and given your other posts in the thread I'm not inclined to believe you without them. What Crays, G5s and the nationality of Intego have to do with it I have no idea.
oh, perhaps you should fix your signature.
.DS_Store files have nothing to do with standard metadata or resource forks. I don't know exactly why they appear, but I think it has something to do with extra metadata that the Finder uses, and I think it changed in Panther (they seem to appear less often, but I may be mistaken). The files that appear have obvious names like resource.frk for the resource fork.
I think that in the best of all possible worlds (not counting ones where computers are our omniscient servants) that the metadata would still be just extra tags on files. For example, I could have a file named "Circuit Diagram" and it would be an SVG file, because the OS recorded a MIME type of image/svg+xml.
If you think about it, every networked platform already supports MIME types. On a Mac, you wouldn't have to worry about mapping creator codes to MIME types or vice versa, and on Windows you wouldn't have to worry about nasty things like extension conflicts. The only problem is that there isn't any OS-level support for this (i.e. there are filesystems that can handle this). You could add tags for file previews, source URLs, authors, file position.
Tags could be changed without regard to file write permissions, but these changes would only be visible to the user that made them. For example, I could specify that when I double click on the MP3s in your shared folder, they would open in Quicktime instead of iTunes, without changing with what application you open them.
The filesystem would be versioned, and metadata would persist across versions unless explicitly removed. This would eliminate the old problem of editing files on a Mac and having the comment / preview / resource fork / etc. disappear.
People with operating systems that didn't support this would simply not get the extra data. Too bad for them. Their mail program would probably have to add a filename extension too.
For the command-line users who want to be able to know the file's type, just add that feature to ls. You could add a feature to find as well: imagine 'find . -mime image/jpeg', or 'find ~/Downloads -srcurl \*gnu.org\*'.
Personally, I think bundles get a little overused at times. It's an awesome idea for applications and plugins, but I'm not fond of the idea for files. In Garage Band, the sound data is stored as AIFFs... if I want to edit them in a different program, I have to right click > show package contents.
The best part? Anyone could add this to GNU/Linux if he felt like it (and had enough free time & dedication). You'd take a filesystem that supports it, add some metadata code, and write in application support (like mod_metadata for figuring MIME types).
Lose essential liberties to get temporary safety = get only hassles and security theater.
For a Mac, what ya need to do is sprinkle a little stump water over the CPU while you be swingin' a dead cat over yer workstation and you don't need to be worrying but no virus no mo.'
PegQuin--I've got a sneakin' suspicion
My opinion is - they wrote it, they are blackmailing the Mac community with thier proof-of-concept code and should be shut down, not supported. They will never get a penny of my money. It's like paying someone not to beat you up... G.. that's a win win situation there...
Quoth Rosyna:
Because the Mac OS X implementation of CFM doesn't support code fragments in resources. Believe me, I tried. (More implementation critiques, anyone? ;))
Now, some of the most interesting google results so far are these: "MP3Virus.Gen alert during start-up" and "IDCS won't open - AWS plug in missing??". If Intego's virus scanner starts to generate lots of false positives for InDesign plugins, they've really shot themselves in their corporate foot.
To fix your sig, perhaps change it to
"I promise to meta-moderate every +insightful or +interesting comment which mentions grammar or spelling."
Vous êtes français? Je ne peux pas dire que je partage vos sentiments à propos de l'orthographe (en anglais ou bien en français), mais à chacun ses opinions (comme vous pouvez le voir, mon français est loin de parfait). Moi, je le trouve utile lorsque je fais de fautes et quelqu'un d'autre me corrige, en fait il y a pas mal d'Anglo-Saxonnes ici qui ont besoin d'amelioré sur ce plan-là!
A couple of weeks or so ago, I downloaded demo versions of both Sophos' and Norton's antivirus software (at the time, I was running OS X 10.2.8). Like anyone else here, I receive a lot of Windows viruses in my email, and I wanted to see how Sophos and Norton would handle them. I saved several different Windows virii to my desktop, then turned both Sophos and Norton loose on my PowerBook. They both reported that there were no viruses on my system.
I suppose I can at least be thankful that the manufacturers both gave me a free evaluation so I didn't have to waste any money determining that the products were useless.
Before you ask -- I did check them both to make sure the signatures were up to date. I don't actually remember the details on this, but AFAIK, at least one of them said I couldn't get updated signatures in the evaluation version (which to my mind means that you can't really evaluate it at all, but whatever).
In the last place I worked, we had exactly the set-up I described. In such a system most software that used autoconf works fantastically. You can make a subdir for x86 and one for sparc, cd into that dir, do ../configure -exec-prefix=foo -prefix=bar, then make; make install. Then login on the other system and build over nfs.
/, /usr/local, /opt/sw. /sw, or something. If you just export one of these schemes as-is over a network filesystem, then the local admins cannot install packages on their workstation any longer. If you decide to put them someplace-else then you need to play with environment variables like LD_LIBRARYPATH and now you really cannot do that too easily for everyone now can you...
/usr/local. With ports it is so insanely easy to keep everything up-to-date, it is like everyhting gets upgraded for everyone automatically. For stuff not in the ports tree, we just use our home directories which are exported over NFS. But this is all so easy for the FreeBSD boxes because they are all x86 of course...)
Then of course it is very simple to have a Makefile in the dir above all of your source that remembers what options to configure to use. You can even have that apply patches if you need for really trick code.
The place I work now, we use AFS here and I really liked the comment about @sys from the AC.
So I guess if you were using binary packages or something having all of the versions prebuilt would be nice, but that would not play too well over the network anyway for anything that uses dynamically linked libraries (almost everything compiled correctly). For most binary file formats you need to specify at build-time where to find the libraries. Most binary packages assume using a tree under something like
(But then again, on the FreeBSD boxes here we DO export
Trust me, the scheme I described is not anywhere near perfect but it does work better than I imagined at first.
Anyone notice the high ratings from the moderator on the entire set of threads for this topic? Never have I seen such a liberal dose of 4's and 5's. Is Slashdot covering this in a "fair and balanced" manner?
I just have to ask, why UFS?
I once formatted a harddisk as UFS believing it would be easier to read from a linux machine, but the partition info is still in mac-format, and the UFS Apple uses is in fact an OpenStep-modified version of the old UFS.
So I am puzzled to why Apple has this option, and more to whom would actually use it?
For the records, it turned out that linux understood HFS+ quite well, unlike the Apple UFS, for which it only had read-only access.
....then why the hell are they running Windows 2000/IIS?
Now wash your hands.
I haven't heard of anyone affected by it have you? If it does exist where is it, I don't need a proof of concept, i need the exploit
" a weakness in Mac OS X where applications can appear to be other types of files."
now WHY are macs more secure again?