Worm Claimed For Apple OS X 398
SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."
worm in apple? (Score:4, Funny)
Re:worm in apple? (Score:5, Funny)
Re:worm in apple? (Score:4, Funny)
Re:worm in apple? (Score:4, Funny)
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
Re: (Score:2)
That's not true... (Score:3, Funny)
Re:That's not true... (Score:5, Funny)
Actually... (Score:5, Insightful)
Here's an idea: Shut up, and let those who are interested in the article discuss it. Thanks.
Re: (Score:3, Interesting)
Yes I am one of those cult infidels or traitors who flooded those forums because his mind couldn't handle all those non logical junk there. Now, I am happily missing.
Here's a serious question for you: Are you stupid? Did you read anything I wrote? Are you answering to my post simply to proof that I was right? Okay, three questions. And no, you don't have to answer.
Worst security nightmare is having some issues on host operating system and whoever tells such flaws gets burned by some zealot cult. I hate fanboys because they risk my OS security.
Yeah. What fanboys? Reading through this discussion, I see dozens and dozens of people complaining about Apple fanboys. Yet I do not see a single post of one of these hypothetical Apple fanboys claiming that "Mac OS X can't be penetrated" or that "this security issue is actually a good thing."
I'm not sur
Re: (Score:2)
"NO!!!!! NO!!!!!"
(it was a lot sillier when Hayden Christianson said it)
Re: (Score:2)
"DO NOT WAAAANNNTTTT!!!!"
*ahem* (Score:5, Insightful)
If by fully testing you mean "auctioning it to the highest bidder" then yea.
temporary work-around (Score:5, Informative)
sudo launchctl unload -w
Re:temporary work-around (Score:5, Informative)
also quite useless (Score:4, Insightful)
Isn't this kinda like working out a vulnerability in AppleTalk a month before they stopped using it?
Re:also quite useless (Score:4, Insightful)
Many of the major Windows worms and so forth target vulnerabilities which have already been fixed (and the fixes pushed out) months before. Not only will many not upgrade to Leopard, if the OS X userbase is similar to the Windows userbase (I'm not sure if it is, but still), many will simply not click the button to install the updates, and leave themselves vulnerable.
Re: (Score:3, Insightful)
Re: (Score:3, Interesting)
I question the ethics, and my legality (Score:4, Insightful)
Re:I question the ethics, and my legality (Score:5, Insightful)
Re: (Score:2)
Yes and yes.
Re:I question the ethics, and my legality (Score:5, Funny)
I agree. We should also question the ethics of Theo de Raadt. After all, this guy published an exploit for OpenSSH. Who does this guy think he is? Hell, he should have given the problem to the developers of OpenSSH to fix it, not be out there releasing exploits and stuff.
Re:I question the ethics, and my legality (Score:5, Insightful)
Re:I question the ethics, and my legality (Score:4, Insightful)
Re:I question the ethics, and my legality (Score:4, Insightful)
Re: (Score:2)
Some people think revealing a vulnerability is morally reprehensible.
Some people think not revealing a vulnerability to anyone but the person who made the damn thing in the first place is morally reprehensible.
You can't just make a blanket statement about a complex issue like this and assume we all know what your position is.
Re: (Score:3, Interesting)
Re:I question the ethics, and my legality (Score:4, Interesting)
Apple and other software vendors have chosen a development model that maximizes their ability to hide defects in their software. If people are morally obliged to report any of the defects they independently find in the software then the vendor has no incentive to ensure the defects are found before the product hits the market. To put it another way, time to market is much more important to them than making a product free of defects. The only thing that motivates them to ensure their products are defect free is malware. As such, creation of malware actually *helps* to make the vendor take more responsibility for the defects in their product.
Re:Time to Market??? They aren't exactly rushing.. (Score:3, Interesting)
Hopefully that will change sometime soon. I like to think there is a push coming that is going to make vendors think differently about software security.
But maybe that's just over-optimistic.
Re:I question the ethics, and my legality (Score:5, Insightful)
Maybe it shouldn't be. There are hundreds of
Neglecting to report a vulnerability is not remotely criminal, no matter how much you disagree with his motivation.
Re:I question the ethics, and my legality (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
As great as arguing from analogy can be, it's really a weak form of emotional badgering. Make a real argument.
Re: (Score:3, Insightful)
Tipping the scales? (Score:5, Insightful)
Re:Tipping the scales? (Score:5, Insightful)
The author claims, "While it is nothing special compared to Windows based Malware it does prove a point -- Apple Computers are just as susceptible to Malware as Windows based ones." Oh, bullshit. The fact that this particular security vulnerability exists does not mean that OS X is just as much a wide-open target as Windows is.
In the "Classic" MacOS days, there was a fair amount of Mac malware -- never as much as in the PC world, of course, but plenty of it running around. Since OS X became the standard, this hasn't happened. The "vulnerability through popularity" argument just doesn't hold up to this fact.
Re: (Score:3, Interesting)
IF this is real, and it can spread quickly and cause maximum damage then it's just as bad as windows, because the end result is an unsafe system.
Re: (Score:3, Informative)
one is bad (Score:2)
I would not say one potential laboratory specimen for OSX is as bad as all 180,000 known Windows threats in the wild even if it's real.
Bad, though, yes, it is, if it's real.
Did I mention it wasn't in the wild? Your mac cannot catch this one yet and likely won't ever, if it's even real.
That is not as bad as zero to pwned in 23 seconds average just by connecting XP to the Internet. But bad, yes it may be.
If it's real, then it's bad.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:3, Insightful)
Perhaps Paterson's folly?
Re: (Score:2)
http://dictionary.reference.com/browse/folly [reference.com]
Windows affected? (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2, Interesting)
Can this travel via "broader network segment"? (Score:2, Interesting)
It's my understanding that the daemon in question works only on the LAN and is part of Bonjour/Rendezvous/Zeroconf/Avahi.... if this is the case, assuming a decent firewall, aren't you only vulnerable within your own local network?
Re:Can this travel via "broader network segment"? (Score:5, Interesting)
Sure, get infected on the school's lab LAN. Bring your iBook oops MacBook to the coffee shop and get everyone else there. They all go home and infect their room-mate's machines. Who go to a different lab and it gets loose on the LAN there.
Most laptops aren't isolated to a single LAN these days; they move around. If there really is a flaw in mDNSResponder, then such a worm does have a chance to propagate. Especially if it is subtle and doesn't crash or overload machines, or do insane amounts of network I/O, or any of the other things that cause people to think something's wrong.
Re: (Score:2)
Okay... let me get this straight... (Score:5, Insightful)
Somebody writes a worm for OSX that works across a specific test network (of which we have no clue as to settings, layout, patch levels, etc etc), and it's really, really, really big news. Media orgs around the planet sound the klaxon, and (nearly) everyone gets all hyper-ventilated. Claims of "OSX is just as vulnerable!!!1111!!" will fly off the pages.
Meanwhile, the next near-periodic iteration of MSFT-specific malware in-the-wild will get not so much as a grunt outside of security circles (such as SANS ISC and F-Secure's blog as ferinstances). It will likely subvert 40x as many victims in its first hour, and the media won't say so much as 'boo' about it.
Perspective (at least outside of security and some geek circles)? Never heard of it.
Re: (Score:2)
Re:Okay... let me get this straight... (Score:4, Insightful)
Re:Okay... let me get this straight... (Score:5, Insightful)
Major difference. In fact, every Mac user I know expects a "true" virus or two to show up for OS X sooner or later, but what of it? So the ratio will go from a bazillion to zero to a bazillion to one or two.
Apple has roughly a 2.5% worldwide market share--wake me when they have anywhere close to 2.5% as many viruses as Windows and I'll start being overly concerned.
Re: (Score:3, Interesting)
pc: careful i'm contagious, i have a virus
mac: I'm ok, i can't get that from you. Macs don't have that problem (which is true, a windows virus doesn't infect macs and at the time there were no mac viruses)
False advertising? No. Open ended advertising, sure.
Re: (Score:3, Insightful)
here, look for Viruses...
Quote:
PC: Better stand back this one's a doosy.
Mac: That's ok I'll be fine.
PC: No, no not be a hero. Last year there were 114,000 known viruses for PCs.
Mac: PCs, but not Macs, so...
Where does it say that Macs are invulnerable to viruses?
Re: (Score:3, Interesting)
You are right that users control their own security, but this is also the case on the Mac, and Mac users aren't plagued with constant malware problems. I have never scanned a PC and not found lots of malware. I work with a lot of different clients in different settings, from large enterprise groups that hire me to work on specific issues, to small business and home users. I have run large and medium sized IT
Re: (Score:2)
I could be wrong, but I don't think Apple has ever stated that OS X is immune t
Re: (Score:3, Interesting)
Is mDNS even routable? (Score:5, Interesting)
It's a bug, it's a problem, but it's no Blaster by a long shot.
Re:Is mDNS even routable? (Score:5, Insightful)
Re: (Score:2)
Re:Is mDNS even routable? (Score:5, Informative)
mDNS/bonjour/zeroconf detects if a packet has crossed a router by setting the originating TTL to 255. If a multicast packet crosses a router, the TTL is supposed to be decremented, and zeroconf is supposed to ignore the packet as it is no longer considered local. Many suppositions there, as implementations vary.
Worse, starting with a TTL of 255 means that the packets will be able to go anywhere on the internet where multicast packets can get routed. Better protected carriers will drop multicast packets with TTLs greater than 64 or 128, specifically to limit mDNS/zeroconf traffic while allowing reasonable traffic to flow. Most ISPs don't have the technical competence to deal with multicast, so they just block it, which will limit any spread of an mDNS worm.
However, just because mDNS/zeroconf will ignore packets with TTL less that 255, doesn't mean that a buffer overflow bug isn't being treated by the protocol stack. Take a wait and see attitude on this disclosure, as it appears to be an extortion attempt rather than something from legitimate sources.
the AC
Excellent response (Score:2)
Local network only - depends on mDNS (Score:4, Interesting)
Market share? (Score:3, Insightful)
Flamebait WTF? (Score:2)
Re: (Score:2)
Re: (Score:2)
Who's paying him? (Score:2)
They're the ones who challenged Joanna Rutkowska about her bluepill (see the "Hi Joanna" quote on the blog), and have had contact with infosec sellout in the past.
3 known exploits.... (Score:2)
Have mDNSresponder run without root privileges (Score:5, Informative)
% sudo launchctl unload
% sudo chown nobody:wheel
% sudo chmod 4750
% sudo launchctl load
If someone wants an explanation of what the above commands accomplish, please read further.
1. launchctl is used to unload and load the mDNSResponder daemon.
2. We change the owner of the mDNSResponder to nobody and ensure that wheel is the group. The group is used to ensure that members of the wheel group may launch mDNSResponder and not other users of the system (with the exception of root and anything else running as nobody.)
3. We change the permissions of the mDNSResponder program to be setuid nobody. This means that mDNSResponder will run as nobody and only be able to affect files owned by that account or by files it may happen to have write privileges against.
Re: (Score:3, Informative)
1500 Test stations? (Score:5, Insightful)
Learn to read. (Score:3, Informative)
You need to read deeper.
OSX: No routed open ports by default. All services can be bound to localhost only. All IP-based services can be disabled. Conventional browser that requires applications to install extensions. Can be run securely with no firewall in place, the optional firewall is "defense in depth". It's not perfect, but the "surface area" exposed to remote attacks is small and can be eliminated.
Windows: Routed open port
Blog posting strange (Score:2)
Funny name... (Score:2, Funny)
"Hi, I'm an apple..urrgh"
"unf unf unf"
Well it would be an interesting ad I guess.
Not funny or good (Score:2)
Dear Apple Inc (Score:3, Interesting)
Assuming he hasn't made up that bit... (Score:3, Insightful)
Wow (Score:4, Funny)
This just in (Score:3, Funny)
Covered in shit? (Score:4, Insightful)
"I'm not going to use Mac because while it may be clean now, I could get covered in shit at any time!"
"But you're already covered in shit".
"Errr... yes. But I'm sorta used to it..."
10.4.10 (Score:4, Interesting)
Re:10.4.10 (Score:4, Interesting)
CVE-ID: CVE-2007-2386
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
A remote attacker may be able to cause a denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.
mDNSResponder is OSS, not? (Score:3, Interesting)
Anyone knows if this might provide a way to write a FreeBSD worm?
Hey, be nice now! (Score:4, Funny)
Re: (Score:3, Interesting)
Re:rape.osx is fitting (Score:4, Insightful)
Re: (Score:2)
It doesn't (Score:4, Interesting)
Re:pfft (Score:5, Insightful)
Re: (Score:2)
Seriously, ever ad for an episodes of Bones or House MD that I saw on TV were: "Tonight on a controversial all-new Bones..."
Re:Apple Coded (Score:5, Informative)
Re:Root Account Disabled... (Score:4, Informative)
Re: (Score:3, Informative)
To do root level things uses "su" (substitute user
Closed source software like Sendmail and PHP? (Score:4, Interesting)
The biggest UNIX webserver security holes are due to PHP.
The biggest problem is not "closed" vs "open" source. It's design. Is the API secure (that is, if the implementation is perfect, would the resulting system be perfectly secure)? Does the API fail "open" or "closed"? Is there a mechanism to request trusted access from *outside* the trusted domain? If so, is that enabled by default?
If the answers are "yes", "closed", "no", and "no" then you may have built a secure system.
Surprise, surprise, there's a lot of open source software that isn't secure by that standard, including the much-lauded Firefox. Now don't get me wrong, the surface area Firefox's XPI and the XPI install mechanism exposes to attack is like the radar signature of a stealth fighter, where Internet Explorer's "insecurity" zones and ActiveX give it the radar signature of a flock of 747s, but it's not necessary for either exposure to exist at all.
Open Source doesn't create secure systems. It's a hell of a mitigating factor, yes, but the real source of long-lasting security holes (and we don't know if this is one or not, because the soi-disant "researcher" responsible isn't being open about the vulnerability he's found) is insecure design and a preference for patching particular attack vectors rather than fixing the insecure design. And that isn't limited to closed source systems.