Slashdot Mirror
First Mac OS X Virus?
bubba451 writes "MacRumors reports on what may be the first virus to affect Mac OS X, disguised as screenshots for the upcoming Mac OS X 10.5 Leopard. From the report: 'The resultant file decompresses into what appears to be a standard JPEG icon in Mac OS X but was actually a compiled Unix executable in disguise. An initial disassembly reveals evidence that the application is a virus or was designed to give that impression.' The virus is said to also spread via Bonjour instant messaging." Update: 02/17 00:09 GMT by P : This is not a virus, it is a simple Trojan Horse: it requires manual user interaction to launch the executable. See Andrew Welch's dissection.
How can it be a virus if it is a Trojan?
You have to execute it yourself, and that is why it is _not_ a virus.
Uhm, how are proposing to "fix" this? You can give your application any icon you want, and as long as it looks even remotely like the native JPEG-icon, 95% of users won't notice.
The only way would be some sort of flag that shows up on any icon that represents something executable, and that wouldn't be a fix but a completely new approach.
Come on. MacOSRumors.com on a forum post. Let's not loose our heads and start spreading FUD because of something someone's brother's first cousins next-door neighbor read in a forum post. If you're smart enough not to accept random files and put your admin password in for anything that pops up - this won't be much of an issue.
Can you explain to me where the security flaw in OSX is in this case?
There is no double standard here.
Everybody seems so certain that this is a non-starter on OSX because it requires some user intervention to propagate. I have bad news for you: there are clueless Mac users out there, too. These are probably the same folks who will click on a web popup to "see the lastest hollywood gaff" and then "accept" the untrusted executable when windows warns about the download to be executed. And they're the same ones who will dutifully click their bank url in an email and login to make sure their information is correct .
Never understimate the power of the incomptenece of 20% of your userbase.
Is it just my observation, or are there way too many stupid people in the world?
When I download a dmg file with Safari, I get a warning if the dmg contains an executable. (Not sure if that's Safari doing the warning or the code that mounts the archive or what.) Something like this in the code that unpacks tar files would go a long way toward fixing it.
Devon
I was thinking about this. I can't imagine it would be all that hard -- there is already a visual flag applied to all "alias" (that's symlink) files, so it doesn't seem like it would be out of the question to do something similar for executables, based on the eXecute bit.
However what I'm not sure about is how you'd make this work for MacOS bundles -- unlike UNIX applications they're not just single files; the thing that you click on in the Finder to launch a MacOS app (at least a Cocoa one) is actually a directory if you look at it in the Terminal, it just has the hidden suffix of ".app" (so for instance the program Mail in the finder is actually the directory/folder Mail.app). The actual executable file is normally buried somewhere within the folder -- usually like (appname).app/Contents/MacOS/executablefile.
I suppose what you'd have to do is put the visual flag on if a file was either a directory ending in ".app", or if the regular eXecute bit was set on a file itself.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Anyway, back to the present. A simple, welcome solution, would be to just show the names of applications in bold text. That would be helpful to power user and novice alike, and it would probably also look good.
I like it. Good idea.
While we're at it, maybe they can give us back our aliases in italics at the same time; that was a nice 'no brainer' feature if I ever saw one.
That will probably go over better with application developers than some sort of visual indicator on the application's icon that would mess up their pretty custom look. Bolded text is definitely the better way to go.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This story is the biggest FUD of the day.
.tgz file in Safari, Safari warns you that it's an application, and you have to click to continue.
1.) Several proof-of-concept viruses have been written for OS X in the past, so this isn't the "first." They never propagate.
2.) When you download this
3.) When you run it, an admin password prompt is displayed by OS X, and you have to enter it to continue.
Like I said--FUD of the day.
"Sufferin' succotash."