Worm Claimed For Apple OS X

← Back to Stories (view on slashdot.org)

Posted by kdawson on Tuesday July 17, 2007 @11:26AM from the apple-trees-have-roots-too dept.

SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."

5 of 398 comments (clear)

Min score:

Reason:

Sort:

Windows affected? by nuckin+futs · 2007-07-17 11:49 · Score: 5, Interesting

exactly what vulnerability in mDNSResponder is it exploiting? Since mDNSResponder also runs on windows if you install bonjour for Windows, does that mean it can possibly be affected too?
Is mDNS even routable? by MBCook · 2007-07-17 11:58 · Score: 4, Interesting

I was under the impression that mDNS was not routable (and specifically designed not to be routed). If that is true, doesn't that restrict this to propagating to computers on the same subnet? This could effect a business, or a computer lab (say at a university), but this fact should prevent it from spreading around the internet at large (as various Windows worms have).
It's a bug, it's a problem, but it's no Blaster by a long shot.

--
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Re:Can this travel via "broader network segment"? by greed · 2007-07-17 12:49 · Score: 5, Interesting

Sure, get infected on the school's lab LAN. Bring your iBook oops MacBook to the coffee shop and get everyone else there. They all go home and infect their room-mate's machines. Who go to a different lab and it gets loose on the LAN there.
Most laptops aren't isolated to a single LAN these days; they move around. If there really is a flaw in mDNSResponder, then such a worm does have a chance to propagate. Especially if it is subtle and doesn't crash or overload machines, or do insane amounts of network I/O, or any of the other things that cause people to think something's wrong.
10.4.10 by djahz · 2007-07-17 20:03 · Score: 4, Interesting

10.4.10 isn`t on the affected systems list.
1. Re:10.4.10 by fplinn · 2007-07-17 20:56 · Score: 4, Interesting
  
  wasn't this patched in may ? http://docs.info.apple.com/article.html?artnum=305 530
  mDNSResponder
  CVE-ID: CVE-2007-2386
  Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
  A remote attacker may be able to cause a denial of service or arbitrary code execution
  Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.