Slashdot Mirror
Worm Claimed For Apple OS X
SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."
exactly what vulnerability in mDNSResponder is it exploiting? Since mDNSResponder also runs on windows if you install bonjour for Windows, does that mean it can possibly be affected too?
While InfoSec Sellout states that the worm only seeks out other systems on the same network for infection, they point out that it is not going to take much extra work for the worm to attack a much broader network segment.
It's my understanding that the daemon in question works only on the LAN and is part of Bonjour/Rendezvous/Zeroconf/Avahi.... if this is the case, assuming a decent firewall, aren't you only vulnerable within your own local network?
It's a bug, it's a problem, but it's no Blaster by a long shot.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Doesn't mean you can't build them. Just means none are released in the wild, true to this date.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So, not quite like the Internet-spanning, DDOS-producing Windows worms we've come to know and hate. I'm not too surprised the vulnerability was in MDNSResponder, though. Someone I work with found a few problems in the code when running it on Linux.
IF this is real, and it can spread quickly and cause maximum damage then it's just as bad as windows, because the end result is an unsafe system.
If you mod me down, I will become more powerful than you can imagine....
"I don't know of a single Mac user or vendor who has ever claimed that OS X is *COMPLETELY* invulnerable to viruses/etc, only that there hasn't been a demonstrable, malicious, in-the-wild true OS X virus released YET, which is true."
perhaps you have completely missed all Apples marketting marterial lately?
not necessarily. In 2002, there was a zlib vulnerability found (involving memory being freed twice). Windows was not affected since it safeguards against double freeing memory.
Do you even lift?
These aren't the 'roids you're looking for.
You make a good point. The fact that there is not a single virus or worm in the wild for MacOS X probably does make this bigger news (assuming the unsubstantiated report is real and it ever makes it into the wild) than it would otherwise be. I'm not sure how much Apple's statements on the matter really affect it, but the fact that someone succeeded in creating such a worm for MacOS X really is pretty big news, I guess. That is, as long as the news organizations don't try to portray MacOS as being as vulnerable as Windows.
E pluribus unum
Take the classic email based worm for example. Given that only about 4-8% of computers run OSX, how would an email worm spread on Macs? If you sent it to 100,000 email addresses you'd be lucky if 8,000 OSX users received the email. If 50% of those 8000 OSX users fell for it and executed the payload, the worm would have to find 25 new email addresses that belong to uninfected OSX users in order to maintain it's population. Otherwise he number of new infections would decrease exponentially until the worm became extinct.
The 50% infection rate and number of new email addresses required per infected host are both unrealistic IMO. More realistic numbers would only serve to further prove my point - that spreading malware to OSX computers is virtually impossible.
Network borne malware is a different story, but that's become an almost non-issue since Windows XP SP2 came out and enabled the firewall by default.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
The only way for a person to improve is to receive constructive criticism and to listen when others point out their failings. I personally listen when others point out my mistakes, and do my best to correct them, so I likewise believe that concealing information for the sole purpose of one's own advantage, without consideration for anyone who might be hurt because of one's actions, is immoral. Furthermore, I don't understand how you can consider the creation of malware a complex issue; in the long run, no matter how well intentioned the creator is, malware inevitably harms the population as a whole, and all in all, that sounds pretty simple to me.
"all you lose is Bonjour (useful for discovering iChat and iTunes connections on your local subnet..."
Well, if that's all that's affected, C'ya iChat and iTunnes... neither of which I need, care for or use.
And that's the problem. You want to look at it in simple terms instead of considering the whole issue.
Apple and other software vendors have chosen a development model that maximizes their ability to hide defects in their software. If people are morally obliged to report any of the defects they independently find in the software then the vendor has no incentive to ensure the defects are found before the product hits the market. To put it another way, time to market is much more important to them than making a product free of defects. The only thing that motivates them to ensure their products are defect free is malware. As such, creation of malware actually *helps* to make the vendor take more responsibility for the defects in their product.
How we know is more important than what we know.
Seriously, sit down with this guy. Put a suitcase full of large bills on the table, and tell him it's his if he can prove it works. And then, give the guy some incentive to continue to disclose his so-called "root causes". He is CLEARLY a total whore for cash, which means he is easily bought. You have pockets deep enough, you just sold a bojillion iphones, so buy this guy. If he's full of crap, make the fact that you wanted his "root cause" and he couldnt show you it publicly known, then he gets shamed into STFU and stops spreading FUD. If he does show the root cause, then great, put him on retainer and continue to have a fantastic OS. I know jobs likes to do things all secretive and on his own terms, but this is a public perception issue, it needs to be handled in the public eye. Get on the private jet and go see this guy in person, use the RDF to mess with him and get this shit cleared up. Microsoft got into the situation they're in now by ignoring things like this and pulling the secretive garbage, you don't wanna go down that road, otherwise this crap will get out of hand.
If you have a sandpit it's much easier to bury your head in it, rather than try and come up with a reasonable explanation of why this worm is part of Jobs' master plan.
// MD_Update(&m,buf,j);
actually the material was the commercial and the commercial went something like this:
pc: careful i'm contagious, i have a virus
mac: I'm ok, i can't get that from you. Macs don't have that problem (which is true, a windows virus doesn't infect macs and at the time there were no mac viruses)
False advertising? No. Open ended advertising, sure.
And how many of those 'bazillions' of viruses will infect a fully patched XP or Vista system? That is, without user interaction - I'll give you a hint, the answer is very close to 0.
The biggest problem by far in terms of Windows security today is the user. You can't stop the user from downloading executable files from P2P networks, or 'codecs' for the latest funny videos, or programs which promise to speed up your PC or whatnot. Almost every major virus (including trojans, keyloggers, etc) is instigated by the user. Yes, Microsoft has had major issues with security in the past and will still have issues in the future, but the bottom line is that you can't protect the user from themselves.
Following on, most viruses today are written with the intent of profiting from them, whether it be as part of a botnet, stealing financial information, or whatever else. If you were looking to make the most amount of money are you going to produce something that has a maximum target of 1 in 40 computers, or 19 in 20? Wake me up when Apple has an equal share of the market with Microsoft, and we'll do a fair comparison then.
Hopefully that will change sometime soon. I like to think there is a push coming that is going to make vendors think differently about software security.
But maybe that's just over-optimistic.
How we know is more important than what we know.
One down, 140,000 to go until he catches up. Good thing mDNS doesn't work on the open Internet, though.
Most of the stuff on
Viruses will infect a new Windows PC plugged into the Internet before its patches can be downloaded.
You are right that users control their own security, but this is also the case on the Mac, and Mac users aren't plagued with constant malware problems. I have never scanned a PC and not found lots of malware. I work with a lot of different clients in different settings, from large enterprise groups that hire me to work on specific issues, to small business and home users. I have run large and medium sized IT environments, from several hundred users to several thousand.
It is a bit absurd to first say that user security is the tough problem and Microsoft can't protect its users from themselves, and then concede that Microsoft owns the Enterprise of managed desktops with locked down security. That's where big money is being lost due to real viruses and worms.
Apple has a very large business among home users and in education, both of which tend to have less draconian security in place, and a more permissive and less technically savvy userbase. But Mac users aren't poking their own eyes out downloading malware; it's the Windows users that are.
You can't hide behind market share numbers forever. There is quite obviously a big problem architecturally for Windows when even tightly managed IT pros can't keep their systems up to date and safe, while Mac users experience zero problems and the only known exploits for the Mac are theoretical lab concepts that require crossed fingers and aligned planets.
RoughlyDrafted Magazine
Your opinion? Is it the result of envy because a mac user spends more time using their system productively instead of configuring it? Those that spend all day configuring their system, installing software they'll never use and reinstalling stuff for "fun" are obviously envious of the productive mac users who spend their computer time creating content and not just playing with the content designed by others.
10.4.10 isn`t on the affected systems list.
If it is, this might be patches relatively soon (allthough it might take a while before Apple approves and deploys the fix). It might also mean that more systems could be affected by this vulnerability. I know FreeBSD uses mDNSResponder (the laptop I'm typing this on is actively using it right now).
Anyone knows if this might provide a way to write a FreeBSD worm?
Free beer is never free as in speech. Free speech is always free as in beer.
I'd really be interested as to whether this vulnerability is OS X only. Apple have released mDNSResponder under an Apache 2.0 license, and it runs on Windows and *NIX. Is the vulnerability in mDNSResponder, or how it interacts with OS X?
I am TheRaven on Soylent News
The "Internet Worm" targeted Sendmail. Which has proceeded to become notorious for security holes.
The biggest UNIX webserver security holes are due to PHP.
The biggest problem is not "closed" vs "open" source. It's design. Is the API secure (that is, if the implementation is perfect, would the resulting system be perfectly secure)? Does the API fail "open" or "closed"? Is there a mechanism to request trusted access from *outside* the trusted domain? If so, is that enabled by default?
If the answers are "yes", "closed", "no", and "no" then you may have built a secure system.
Surprise, surprise, there's a lot of open source software that isn't secure by that standard, including the much-lauded Firefox. Now don't get me wrong, the surface area Firefox's XPI and the XPI install mechanism exposes to attack is like the radar signature of a stealth fighter, where Internet Explorer's "insecurity" zones and ActiveX give it the radar signature of a flock of 747s, but it's not necessary for either exposure to exist at all.
Open Source doesn't create secure systems. It's a hell of a mitigating factor, yes, but the real source of long-lasting security holes (and we don't know if this is one or not, because the soi-disant "researcher" responsible isn't being open about the vulnerability he's found) is insecure design and a preference for patching particular attack vectors rather than fixing the insecure design. And that isn't limited to closed source systems.
Here's a serious question for you: Are you stupid? Did you read anything I wrote? Are you answering to my post simply to proof that I was right? Okay, three questions. And no, you don't have to answer.
Worst security nightmare is having some issues on host operating system and whoever tells such flaws gets burned by some zealot cult. I hate fanboys because they risk my OS security.Yeah. What fanboys? Reading through this discussion, I see dozens and dozens of people complaining about Apple fanboys. Yet I do not see a single post of one of these hypothetical Apple fanboys claiming that "Mac OS X can't be penetrated" or that "this security issue is actually a good thing."
I'm not sure what your issue is, really. Why do you feel the need to make up stories about these hypothetical Mac users?