Worm Claimed For Apple OS X

SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."

worm in apple?

[linuxmeltz]

Hey, there's a worm in my apple...

Re:worm in apple?

[Anonymous Coward]

... which is much better than half a worm!

Re:worm in apple?

[dotpavan]

when God (Gates) specifically asked you NOT to eat the Apple (Inc), you should have listened :)

Re:worm in apple?

[Anonymous Coward]

Does that make Jobs the Snake? That does explain why he slithers.

Re:

[catwh0re]

While I have no doubt that worms etc can be created for OSX (or any OS, given enough time.) I'm not really fond of companies blowing their trumpet until they're certain. It's very rich to claim all that publicity without notifing the vendor, or even being 100% certain. Otherwise it comes across as yet another company that is trying to claim solely for the benefit of the massive attention that it will draw on the company. Whether it's a fiasco involving wifi hardware or an antivirus company claiming endless

Re:

[Maniac-X]

If by "well versed in frauds and half-truths" you mean well versed in spreading their own brand of propoganda and half-truths, then yes, you are correct.

Re:

[kestasjk]

If you have a sandpit it's much easier to bury your head in it, rather than try and come up with a reasonable explanation of why this worm is part of Jobs' master plan.

Re:

[Anonymous Coward]

Your opinion? Is it the result of envy because a mac user spends more time using their system productively instead of configuring it? Those that spend all day configuring their system, installing software they'll never use and reinstalling stuff for "fun" are obviously envious of the productive mac users who spend their computer time creating content and not just playing with the content designed by others.

Re:

[gnasher719]

Who modded this as funny? It might have been funny in 1978, but most people thought the joke was a bit old back then.

That's not true...

[oogoliegoogolie]

That's impossible!

Re:That's not true...

[kestasjk]

That's impossible!

It's possible, but:

• It doesn't exist in the wild; this is because of OS X's stunning security features
• This vulnerability was probably placed into the system by Jobs himself. If there were no vulnerabilities in OS X people would realize Jobs was supernatural, so he has to put one in there from time to time.
• This vulnerability is probably the last vulnerability in OS X. Once Apple fixes this there'll be no more
• Way, way more vulnerabilities are found in Windows and Windows products; this is because of OS X's breathtaking security features
• This is probably a bug in BSD or Mach code, or one of the recent Intel chip bugs, or a Microsoft employee infiltrated the Cupertino campus. It's not Apple's fault.
• Microsoft spends its entire R&D budget looking for these elusive Apple holes just as a way of discrediting Apple. If the real number of Microsoft and Linux vulnerabilities were actually disclosed there would be no comparison.
• Apple puts the occasional vulnerability in its system because they know that Microsoft blindly copies anything Apple does. If Apple puts one bug into their system they know Microsoft will put 10 bugs in theirs.
• Microsoft worms spread spambots and steal credit card information, Apple worms are just a misguided attempt of a loyal Apple fan to spread the good vibes and let the community know he cares. With Mac OS X only your unquestioning loyalty is contagious.

Such a breathtaking OS on a rock solid foundation with over 1 million configurations. Say hello to OS X Panda. Starting at $99. Small sentence. Reinvented.

Actually...

[LKM]

The only people I always see spouting such crap are the people who claim to hate Apple fanboys. I've never seen an Apple fanboy make absurd claims like yours. This is like a fucking self-fullfilling prophecy. Every damn article about Apple is run over by stupid Anti-Apple trolls who write hundreds of comments laughing about imaginary Apple fanboys and the imaginary stupid things they say. [crazyapplerumors.com]

Here's an idea: Shut up, and let those who are interested in the article discuss it. Thanks.

Re:

[LKM]

Yes I am one of those cult infidels or traitors who flooded those forums because his mind couldn't handle all those non logical junk there. Now, I am happily missing.

Here's a serious question for you: Are you stupid? Did you read anything I wrote? Are you answering to my post simply to proof that I was right? Okay, three questions. And no, you don't have to answer.

Worst security nightmare is having some issues on host operating system and whoever tells such flaws gets burned by some zealot cult. I hate fanboys because they risk my OS security.

Yeah. What fanboys? Reading through this discussion, I see dozens and dozens of people complaining about Apple fanboys. Yet I do not see a single post of one of these hypothetical Apple fanboys claiming that "Mac OS X can't be penetrated" or that "this security issue is actually a good thing."

I'm not sur

Re:

[iluvcapra]

"NO!!!!! NO!!!!!"

(it was a lot sillier when Hayden Christianson said it)

Re:

[Bemopolis]

And even sillier when he said it Chinese...

"DO NOT WAAAANNNTTTT!!!!"

*ahem*

[Duncan3]

As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm.

If by fully testing you mean "auctioning it to the highest bidder" then yea.

temporary work-around

[mzs]

Disable mDNSResponder:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist

Re:temporary work-around

[dch24]

Very good. That might disable the security hole, if what has been disclosed so far is 100% accurate. If not, well, all you lose is Bonjour (useful for discovering iChat and iTunes connections on your local subnet).

also quite useless

[Jeremy_Bee]

IMO the really funny thing is that this joker decided to use a Bonjour vulnerability to work on, when everything I've heard indicates a major reworking of the Bonjour code in Leopard anyway.

Isn't this kinda like working out a vulnerability in AppleTalk a month before they stopped using it?

Re:also quite useless

[zootm]

Many of the major Windows worms and so forth target vulnerabilities which have already been fixed (and the fixes pushed out) months before. Not only will many not upgrade to Leopard, if the OS X userbase is similar to the Windows userbase (I'm not sure if it is, but still), many will simply not click the button to install the updates, and leave themselves vulnerable.

Re:

[Gilmoure]

Read how Apple's Quicktime 7.2 update [macfixit.com] went and caused issues on Intel based Macs. It broke some PPC apps on some machines. Also, Apple's pulled a DVD drive firmware update [macfixit.com], after it hosed some hardware. Now, I'm a Mac tech and have only owned Macs, except for my old TI 99/4A but you can't paint Apple in polished gold all the time. They screw up things just like any other computer company.

Re:

[TheRaven64]

I'd really be interested as to whether this vulnerability is OS X only. Apple have released mDNSResponder under an Apache 2.0 license, and it runs on Windows and *NIX. Is the vulnerability in mDNSResponder, or how it interacts with OS X?

I question the ethics, and my legality

[Swift2001]

First of all, if he's found a real vulnerability, he reports it. I don't care if it's Apple or Linux or even Windows. "Waiting until I finish it" is a disgusting excuse. Will he sell it to the bad guys? Is this free publicity for some jerk? I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.

Re:I question the ethics, and my legality

[Tobenisstinky]

Good idea. However, a serious discussion on /. is unlikely.

Re:

[sokoban]

Will he sell it to the bad guys? Is this free publicity for some jerk?

To answer your questions:

Yes and yes.

Re:I question the ethics, and my legality

[Mr. Flibble]

I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.

I agree. We should also question the ethics of Theo de Raadt. After all, this guy published an exploit for OpenSSH. Who does this guy think he is? Hell, he should have given the problem to the developers of OpenSSH to fix it, not be out there releasing exploits and stuff.

Re:I question the ethics, and my legality

[samkass]

I'm sure you're trying to be sarcastic, but it would DEFINITELY be a good idea to include everyone from your random teenage mom's basement hacker to Theo de Raadt in the discussion. Just because someone has done great things for the community it doesn't mean he's going about addressing exploits in the best way.

Re:I question the ethics, and my legality

[QuantumG]

Sounds like a great plan. Make it compulsory to report vulnerabilities eh? Maybe even ban the selling of vulnerabilities. Kinda makes you wonder why any third party would bother looking for them.

Re:I question the ethics, and my legality

[QuietObserver]

From my point of view, the original argument never said anything about making vulnerability reporting compulsory, but that concealing a vulnerability is morally reprehensible, and claiming to keep a vulnerability secret until an exploit is finished is a disgusting excuse.

Re:

[QuantumG]

Why do you think concealing a vulnerability is morally reprehensible?

Some people think revealing a vulnerability is morally reprehensible.

Some people think not revealing a vulnerability to anyone but the person who made the damn thing in the first place is morally reprehensible.

You can't just make a blanket statement about a complex issue like this and assume we all know what your position is.

Re:

[QuietObserver]

The only way for a person to improve is to receive constructive criticism and to listen when others point out their failings. I personally listen when others point out my mistakes, and do my best to correct them, so I likewise believe that concealing information for the sole purpose of one's own advantage, without consideration for anyone who might be hurt because of one's actions, is immoral. Furthermore, I don't understand how you can consider the creation of malware a complex issue; in the long run, no

Re:I question the ethics, and my legality

[QuantumG]

And that's the problem. You want to look at it in simple terms instead of considering the whole issue.

Apple and other software vendors have chosen a development model that maximizes their ability to hide defects in their software. If people are morally obliged to report any of the defects they independently find in the software then the vendor has no incentive to ensure the defects are found before the product hits the market. To put it another way, time to market is much more important to them than making a product free of defects. The only thing that motivates them to ensure their products are defect free is malware. As such, creation of malware actually *helps* to make the vendor take more responsibility for the defects in their product.

 

Re:Time to Market??? They aren't exactly rushing..

[QuantumG]

I'm not exactly quaking in my boots here...

For every remote vulnerability you hear about there are dozens you don't. The vast majority of people looking for vulnerabilities are "bad guys", and they don't tell us what they find.

Hopefully that will change sometime soon. I like to think there is a push coming that is going to make vendors think differently about software security.

But maybe that's just over-optimistic.

Re:I question the ethics, and my legality

[fox1324]

If what he's doing isn't illegal now, maybe it should be.

Maybe it shouldn't be. There are hundreds of /. threads filled up with complaints about the US government and legal system. Our rights are constantly eroded by attempts to 'legislate morality'. Repeat with me: just because something is unethical or immoral does NOT mean it needs to be illegal. Ethics and morals are nothing more than opinions, and they vary greatly from person to person.

Neglecting to report a vulnerability is not remotely criminal, no matter how much you disagree with his motivation.

Re:I question the ethics, and my legality

[MadMidnightBomber]

Because Congress is well known for its mature and insightful discussion of computer and network security issues.

Re:

[QuantumG]

Can you state why you think it is the ethical thing to do? I mean, it doesn't take a genius to find a security vulnerability. Apple are quite capable of discovering it themselves. Why should he be ethically required to do Apple's job for them?

Re:

[QuantumG]

Dude, they're a company. They have a responsibility to make a product that is as free of defects as possible. He has no responsibility to them. If you were making this argument for, say, the Linux project, I can see where you're coming from. The Linux developers make something great and they give it away. But Apple ain't no charity.

As great as arguing from analogy can be, it's really a weak form of emotional badgering. Make a real argument.

Re:

[Sparks23]

Oh, please. Most sensible Mac users recognize that while OS X is /more/ secure out-of-the-box than your average XP installation, and segments permissions better, there's still plenty of ways for things to mess up an OS X box. It's stupid to think any OS is invulnerable; Linux isn't, FreeBSD isn't, Mac OS X isn't, Windows sure as heck isn't. It's just harder to target an out-of-box configuration, and so people generally don't bother. (Which, I grant, doesn't mean some Mac users won't be up in arms and cl

Tipping the scales?

[dsdtzero]

The fact that the breaking news on slashdot is "someone found the third way to attack a mac machine" is a compelling argument to purchase a mac over a PC. Unless someone can explain to me how this is the seed of an impending snowball of mac-targeted malware.

Re:Tipping the scales?

[Daniel Dvorkin]

Yes, exactly. Three proofs of concept vs. thousands, maybe millions, of vulnerabilities in the wild.

The author claims, "While it is nothing special compared to Windows based Malware it does prove a point -- Apple Computers are just as susceptible to Malware as Windows based ones." Oh, bullshit. The fact that this particular security vulnerability exists does not mean that OS X is just as much a wide-open target as Windows is.

In the "Classic" MacOS days, there was a fair amount of Mac malware -- never as much as in the PC world, of course, but plenty of it running around. Since OS X became the standard, this hasn't happened. The "vulnerability through popularity" argument just doesn't hold up to this fact.

Re:

[timmarhy]

the number of vulnerabilities is irrelvant, what matters is how easily it spreads and what it's payload is like.

IF this is real, and it can spread quickly and cause maximum damage then it's just as bad as windows, because the end result is an unsafe system.

Re:

[v1]

I doubt they are nearly as worried as they could be. From the looks of it, it can only spread locally on your subnet. Internet worms like code red, that can infect 70% of the vulnerable machines in the world in eight minutes, vs this whic may infect up to 254 machines on the typical network. Anyone that even attempts to put those two exploits in the same timezone needs a beating with a ClueBat.

one is bad

[symbolset]

I would not say one potential laboratory specimen for OSX is as bad as all 180,000 known Windows threats in the wild even if it's real.

Bad, though, yes, it is, if it's real.

Did I mention it wasn't in the wild? Your mac cannot catch this one yet and likely won't ever, if it's even real.

That is not as bad as zero to pwned in 23 seconds average just by connecting XP to the Internet. But bad, yes it may be.

If it's real, then it's bad.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Fred Ferrigno]

Are there really all that many Windows attacks that can remotely exploit a default service? Seems to me the most common vector is people downloading sketchy software from sketchy places. Is there something about Mac OS X that protects users from themselves? Second to that are exploits for IE or Outlook. Aside from "Microsoft programmers are stupid and write bad code" is there some fundamental reason that Safari or Mail couldn't be exploited? I'm not being rhetorical, I really want to know if there is some a

Re:

[NatasRevol]

I really think this argument should be given a name, something along the lines of Godwin's law.

Perhaps Paterson's folly?

Re:

[NatasRevol]

No, I don't.

http://dictionary.reference.com/browse/folly [reference.com]

Windows affected?

[nuckin futs]

exactly what vulnerability in mDNSResponder is it exploiting? Since mDNSResponder also runs on windows if you install bonjour for Windows, does that mean it can possibly be affected too?

Re:

[Rosyna]

but it's a safe bet that the underlying vulnerability (buffer overflow or whatever) is present in Bonjour for Windows, as well.

Does mDNSResponder on Windows implement UPnP? At least, I figured Windows would have its own UPnP stack.

Re:

[larry bagina]

not necessarily. In 2002, there was a zlib vulnerability found (involving memory being freed twice). Windows was not affected since it safeguards against double freeing memory.

Can this travel via "broader network segment"?

[Anonymous Coward]

While InfoSec Sellout states that the worm only seeks out other systems on the same network for infection, they point out that it is not going to take much extra work for the worm to attack a much broader network segment.

It's my understanding that the daemon in question works only on the LAN and is part of Bonjour/Rendezvous/Zeroconf/Avahi.... if this is the case, assuming a decent firewall, aren't you only vulnerable within your own local network?

Re:Can this travel via "broader network segment"?

[greed]

Sure, get infected on the school's lab LAN. Bring your iBook oops MacBook to the coffee shop and get everyone else there. They all go home and infect their room-mate's machines. Who go to a different lab and it gets loose on the LAN there.

Most laptops aren't isolated to a single LAN these days; they move around. If there really is a flaw in mDNSResponder, then such a worm does have a chance to propagate. Especially if it is subtle and doesn't crash or overload machines, or do insane amounts of network I/O, or any of the other things that cause people to think something's wrong.

Re:

[NatasRevol]

True. For now, zeroConf is not passed on at the router. However, they are working on an implementation of zeroConf that does get passed across the router. Hopefully, they'll check more closely now on that version for buffer overflows before approving it.

Okay... let me get this straight...

[Penguinisto]

Serious question here:

Somebody writes a worm for OSX that works across a specific test network (of which we have no clue as to settings, layout, patch levels, etc etc), and it's really, really, really big news. Media orgs around the planet sound the klaxon, and (nearly) everyone gets all hyper-ventilated. Claims of "OSX is just as vulnerable!!!1111!!" will fly off the pages.

Meanwhile, the next near-periodic iteration of MSFT-specific malware in-the-wild will get not so much as a grunt outside of security circles (such as SANS ISC and F-Secure's blog as ferinstances). It will likely subvert 40x as many victims in its first hour, and the media won't say so much as 'boo' about it.

Perspective (at least outside of security and some geek circles)? Never heard of it.

/P

Re:

[PhotoGuy]

It's a really big story, because of how unusual any exploit on OS/X is (even without knowing the details, it's a big story), not because it means OS/X is insecure....

Re:Okay... let me get this straight...

[Trillan]

I don't see any suggestions this be buried, only that it be kept in perspective. (Which, I'll grant, is impossible.)

Re:Okay... let me get this straight...

[BlueDjinn]

I don't know of a single Mac user or vendor who has ever claimed that OS X is *COMPLETELY* invulnerable to viruses/etc, only that there hasn't been a demonstrable, malicious, in-the-wild true OS X virus released YET, which is true.

Major difference. In fact, every Mac user I know expects a "true" virus or two to show up for OS X sooner or later, but what of it? So the ratio will go from a bazillion to zero to a bazillion to one or two.

Apple has roughly a 2.5% worldwide market share--wake me when they have anywhere close to 2.5% as many viruses as Windows and I'll start being overly concerned.

Re:

[aesiamun]

actually the material was the commercial and the commercial went something like this:

pc: careful i'm contagious, i have a virus
mac: I'm ok, i can't get that from you. Macs don't have that problem (which is true, a windows virus doesn't infect macs and at the time there were no mac viruses)

False advertising? No. Open ended advertising, sure.

Re:

[aesiamun]

http://www.apple.com/getamac/ads/ [apple.com]

here, look for Viruses...

Quote:
PC: Better stand back this one's a doosy.

Mac: That's ok I'll be fine.

PC: No, no not be a hero. Last year there were 114,000 known viruses for PCs.

Mac: PCs, but not Macs, so...

Where does it say that Macs are invulnerable to viruses?

Re:

[DECS]

Viruses will infect a new Windows PC plugged into the Internet before its patches can be downloaded.

You are right that users control their own security, but this is also the case on the Mac, and Mac users aren't plagued with constant malware problems. I have never scanned a PC and not found lots of malware. I work with a lot of different clients in different settings, from large enterprise groups that hire me to work on specific issues, to small business and home users. I have run large and medium sized IT

Re:

[Aqua OS X]

Well, to be fair, nothing has spread around in the wild that has widely effected Mac OS X users. The only times I've even seen an "infected" OS X box it was a result of me intentionally downloading lame proof-of-concept malware. Even then, those security holes were likely plugged by Software Update within a few days. And unlike WIndows Update, OS X's Software Update isn't god awful and annoying, so many Mac users actually use it.

I could be wrong, but I don't think Apple has ever stated that OS X is immune t

Re:

[samkass]

You make a good point. The fact that there is not a single virus or worm in the wild for MacOS X probably does make this bigger news (assuming the unsubstantiated report is real and it ever makes it into the wild) than it would otherwise be. I'm not sure how much Apple's statements on the matter really affect it, but the fact that someone succeeded in creating such a worm for MacOS X really is pretty big news, I guess. That is, as long as the news organizations don't try to portray MacOS as being as vuln

Is mDNS even routable?

[MBCook]

I was under the impression that mDNS was not routable (and specifically designed not to be routed). If that is true, doesn't that restrict this to propagating to computers on the same subnet? This could effect a business, or a computer lab (say at a university), but this fact should prevent it from spreading around the internet at large (as various Windows worms have).

It's a bug, it's a problem, but it's no Blaster by a long shot.

Re:Is mDNS even routable?

[dch24]

Bundle it with a Windows worm. Exploit Macs on the same subnet as Windows boxes. Then the infected Macs scan for vulnerable Windows boxes and spread the infection. Every vector is useful in an attacker's bad of tricks.

Re:

[mzs]

mDNS uses the link-local multicast address 224.0.0.251. Link local addresses should not be routable, but there is always the possibility of some routers being misconfigured, most likely because some idiot that does not know better wants Bonjour to work across subnets without simply using DNS correctly.

Re:Is mDNS even routable?

[anticypher]

Multicast packets are routable, if the upstream routers support dealing with multicast packets correctly.

mDNS/bonjour/zeroconf detects if a packet has crossed a router by setting the originating TTL to 255. If a multicast packet crosses a router, the TTL is supposed to be decremented, and zeroconf is supposed to ignore the packet as it is no longer considered local. Many suppositions there, as implementations vary.

Worse, starting with a TTL of 255 means that the packets will be able to go anywhere on the internet where multicast packets can get routed. Better protected carriers will drop multicast packets with TTLs greater than 64 or 128, specifically to limit mDNS/zeroconf traffic while allowing reasonable traffic to flow. Most ISPs don't have the technical competence to deal with multicast, so they just block it, which will limit any spread of an mDNS worm.

However, just because mDNS/zeroconf will ignore packets with TTL less that 255, doesn't mean that a buffer overflow bug isn't being treated by the protocol stack. Take a wait and see attitude on this disclosure, as it appears to be an extortion attempt rather than something from legitimate sources.

the AC

Excellent response

[theolein]

My take on it as well. The wording of the claim site is somewhat dubious.

Local network only - depends on mDNS

[mbessey]

So, not quite like the Internet-spanning, DDOS-producing Windows worms we've come to know and hate. I'm not too surprised the vulnerability was in MDNSResponder, though. Someone I work with found a few problems in the code when running it on Linux.

Market share?

[Dan_Bercell]

I havent really looked at the market share percentages of OSes recently, has Apple really grown large enough for Virus makers to start targeting Apple?

Flamebait WTF?

[theolein]

Y'poor bastard, Apache has a larger share of the web server market than IIS, and is just as often targeted, but is more secure. Your question, however, is about targeting, and you're spot on. Mac users are singularly useless when it comes to security. You got modded flamebait by an overzealous dickwad Mac user (and I use Macs m'self)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[v1]

It doesn't work that way. They don't get out the pie charts to decide who to exploit. Sure, a bigger "audience" for their handiwork is surely a bonus, but the typical malcontent, the easier targets always attract 95% of the attacks. Writing viruses for windows seems not too far off from script kiddie class work. There will always be a few "in it for the challenge" to try to hack the gibson etc but they are statistically minor. I view it from the other perspective, that by its intrinsic security and dif

Who's paying him?

[sokoban]

I'm guessing Matasano Security is paying him for this vulnerability.

They're the ones who challenged Joanna Rutkowska about her bluepill (see the "Hi Joanna" quote on the blog), and have had contact with infosec sellout in the past.

3 known exploits....

[gsfprez]

200,783 to go...

Have mDNSresponder run without root privileges

[e. boaz]

If this is a real concern, there is a workaround to have mDNSResponder run without root privileges. Part of the claim is that they can deliver root payloads - this is likely because mDNSResponder runs as the root user and they might be using a buffer overflow exploit [NOTE: I have not analyzed the mDNSResponder code - this is a guess.]

% sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist
% sudo chown nobody:wheel /usr/sbin/mDNSResponder
% sudo chmod 4750 /usr/sbin/mDNSResponder
% sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist

If someone wants an explanation of what the above commands accomplish, please read further.
1. launchctl is used to unload and load the mDNSResponder daemon.
2. We change the owner of the mDNSResponder to nobody and ensure that wheel is the group. The group is used to ensure that members of the wheel group may launch mDNSResponder and not other users of the system (with the exception of root and anything else running as nobody.)
3. We change the permissions of the mDNSResponder program to be setuid nobody. This means that mDNSResponder will run as nobody and only be able to affect files owned by that account or by files it may happen to have write privileges against.

Re:

[QuantumG]

If something is remote exploitable, you turn it off. If you do what he is suggesting you're only making it slightly harder for your box to get owned. Oh, and this won't stop a worm.. as the worm almost surely doesn't need root.

1500 Test stations?

[theolein]

Apart from the claim by infosec sellout sounding less than adult - he says the payload was "weaponised" - and his claim that Apple will somehow not fix the "root cause" of the vulnerability if he gives it to them now - extortion anyone? mDNSResponder is Open Source - I seriously question how some independent reearcher can have, as he claims, a test base of 1500 systems. A big company with $1million to throw around might have that, or a university, but I seriously doubt he has the place or resources to afford a test base of this size unless he is using a local university or school, and judging by his spelling and grammar, he is either not English native or he is a teenager, or both. That says nothing about the veracity (truth) of his claim but it is somewhat juvenile, the whole thing.

Learn to read.

[argent]

From the things I read, Mac OS X is just as vulnerable and dangerous as Windows.

You need to read deeper.

OSX: No routed open ports by default. All services can be bound to localhost only. All IP-based services can be disabled. Conventional browser that requires applications to install extensions. Can be run securely with no firewall in place, the optional firewall is "defense in depth". It's not perfect, but the "surface area" exposed to remote attacks is small and can be eliminated.

Windows: Routed open port

Blog posting strange

[mkiwi]

This guy seems to be spending more time posting on his blog and reacting to the fireworks rather than getting his bug reporting done. Even if this is a proven malware app, the poster acts more like a script-kiddie and less like a researcher.

Funny name...

[obeythefist]

Rape.osx?

"Hi, I'm an apple..urrgh"
"unf unf unf"

Well it would be an interesting ad I guess.

Not funny or good

[Bullfish]

If this is the start of a run of viruses attacking macs, it's not funny or good for pc users. It shows an increasing skill in virus writers that indicates that in the future, every machine (even linux boxes) will need security and anti-virus software. And if the virus writers get good enough, that software won't be much of a comfort

Dear Apple Inc

[deke_kun]

Seriously, sit down with this guy. Put a suitcase full of large bills on the table, and tell him it's his if he can prove it works. And then, give the guy some incentive to continue to disclose his so-called "root causes". He is CLEARLY a total whore for cash, which means he is easily bought. You have pockets deep enough, you just sold a bojillion iphones, so buy this guy. If he's full of crap, make the fact that you wanted his "root cause" and he couldnt show you it publicly known, then he gets shamed into STFU and stops spreading FUD. If he does show the root cause, then great, put him on retainer and continue to have a fantastic OS. I know jobs likes to do things all secretive and on his own terms, but this is a public perception issue, it needs to be handled in the public eye. Get on the private jet and go see this guy in person, use the RDF to mess with him and get this shit cleared up. Microsoft got into the situation they're in now by ignoring things like this and pulling the secretive garbage, you don't wanna go down that road, otherwise this crap will get out of hand.

Assuming he hasn't made up that bit...

[argent]

Even assuming he hasn't made up that bit, I'm sure some of the real, ethical researchers looking at the mDNSresponder source code right now will figure out what he's hinting at.

Wow

[Enrique1218]

3 hypothetical worms in seven years. At this rate, I may have to switch to Linux next century!

This just in

[chthonicdaemon]

Researchers say that safes are not completely immune to attack. Some off-the-shelf "safes" can be cracked in less than 5 minutes! They advise that a cardboard box is a more cost-effective way to store valuables, as "people will get in anyway".

Covered in shit?

[GrahamCox]

I frequently hear the old chestnut that the only reason Macs aren't infested with malware is their lack of market share. Whether true or not, it's a funny argument, especially if the person using it is defending their choice of Windows.

"I'm not going to use Mac because while it may be clean now, I could get covered in shit at any time!"

"But you're already covered in shit".

"Errr... yes. But I'm sorta used to it..."

10.4.10

[djahz]

10.4.10 isn`t on the affected systems list.

Re:10.4.10

[fplinn]

wasn't this patched in may ? http://docs.info.apple.com/article.html?artnum=305 530 [apple.com]

mDNSResponder
CVE-ID: CVE-2007-2386
Available for: Mac OS X v10.4.9, Mac OS X Server v10.4.9
A remote attacker may be able to cause a denial of service or arbitrary code execution
Description: A buffer overflow vulnerability exists in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) code used to create Port Mappings on home NAT gateways in the OS X mDNSResponder implementation. By sending a maliciously crafted packet, a remote attacker can trigger the overflow which may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation when processing UPnP protocol packets. This issue does not affect systems prior to Mac OS X v10.4. Credit to Michael Lynn of Juniper Networks for reporting this issue.

mDNSResponder is OSS, not?

[FST777]

If it is, this might be patches relatively soon (allthough it might take a while before Apple approves and deploys the fix). It might also mean that more systems could be affected by this vulnerability. I know FreeBSD uses mDNSResponder (the laptop I'm typing this on is actively using it right now).

Anyone knows if this might provide a way to write a FreeBSD worm?

Hey, be nice now!

[Anonymous Coward]

It's not a flaw; it's a feature. Remember, things are a little different in the Apple world ;)

Re:

[Divebus]

One down, 140,000 to go until he catches up. Good thing mDNS doesn't work on the open Internet, though.

Re:rape.osx is fitting

[TheRaven64]

This could be a big problem on some university campuses, however. Mine, for example, has a huge flat-topology network that was deployed in the '80s (maybe before) and has been upgraded piecemeal without anyone really knowing how the whole thing fits together anymore. When I plug my laptop in, I get around 10KB/s of background traffic sent to the broadcast address hitting me. Running tcpdump shows that most of this is iTunes DAAP. Does this exploit also run on Windows? Apple bundle MDNSResponder with iTunes on Windows, so if that's where the exploit is then it could also be a problem there. It might also be a problem on other *NIX systems that bundle it, since Apple have released it under an Apache 2.0 license (cue all the 'Apple just takes from Open Source and never gives anything back' trolls).

Re:

[miscz]

not to mention misspelled "raep'

It doesn't

[SuperKendall]

Doesn't mean you can't build them. Just means none are released in the wild, true to this date.

Re:pfft

[Divebus]

The Windows camp has nothing to gloat about as long as I'm getting a hundred spam messages a day from compromised Windows machines.

Re:

[snowgirl]

No, it's controversial like the TV definition. Namely, "we just want you to talk about it."

Seriously, ever ad for an episodes of Bones or House MD that I saw on TV were: "Tonight on a controversial all-new Bones..."

Re:Apple Coded

[Trillan]

mDNSResponder is open source.

Re:Root Account Disabled...

[Mr2001]

No, just because you can't log into the account doesn't mean it doesn't exist. Type "sudo sh" and enter your password - presto, you're running a shell as root. Exploit any service running as superuser and you can do the same thing.

Re:

[v1]

All unix requires the root account, it's not really that accurate to say disabled. More like "inaccessible", or to say that "logging in as root is disabled". The password hash starts set to a value to which nothing can hash to, and so there is no valid password to login as root. To "enable root" is simply to set a legal password for it so you can login as root. 99% of mac users will never enable root, and most of them don't even know it exists to enable.

To do root level things uses "su" (substitute user

Closed source software like Sendmail and PHP?

[argent]

The "Internet Worm" targeted Sendmail. Which has proceeded to become notorious for security holes.

The biggest UNIX webserver security holes are due to PHP.

The biggest problem is not "closed" vs "open" source. It's design. Is the API secure (that is, if the implementation is perfect, would the resulting system be perfectly secure)? Does the API fail "open" or "closed"? Is there a mechanism to request trusted access from *outside* the trusted domain? If so, is that enabled by default?

If the answers are "yes", "closed", "no", and "no" then you may have built a secure system.

Surprise, surprise, there's a lot of open source software that isn't secure by that standard, including the much-lauded Firefox. Now don't get me wrong, the surface area Firefox's XPI and the XPI install mechanism exposes to attack is like the radar signature of a stealth fighter, where Internet Explorer's "insecurity" zones and ActiveX give it the radar signature of a flock of 747s, but it's not necessary for either exposure to exist at all.

Open Source doesn't create secure systems. It's a hell of a mitigating factor, yes, but the real source of long-lasting security holes (and we don't know if this is one or not, because the soi-disant "researcher" responsible isn't being open about the vulnerability he's found) is insecure design and a preference for patching particular attack vectors rather than fixing the insecure design. And that isn't limited to closed source systems.