On Thursday, April 8, 2004, at 09:59 PM, tjkphoto wrote:
anyone else catch this one yet? http://www.Intego.com/news/pr40.html
Is this even possible under OSX. Or just an attempt to sell software by fear? I mean I thought to be able to launch code it would need a pass? no? Although this is what I was saying about a month ago when I said I clicked on one of those stupid unknown emails and all my user files were gone in a flash. Being that I'm set up to always log in automatically as the admin, well it was like being locked out of your own house... and then finding out everything is gone when you do get in.
I really suspect that had nothing to do with the email, but was an unfortunate coincidental file system freakout. A virus like that would be widely known by now, sort of like an otbreak of Ebola in Cincinnati.
Being logged in as an admin user does NOT mean programs can just do Admin things to you; you still have to authenticate by entering your password.
This is a KEY difference in security between Windows and OS X...in Windows, if you're a member of the Administration group on the computer, it's like you're always logged in as root. All that being an Admin user does on a Mac is put you in the sudoers group, meaning you *can* act as root if needed, but you have to authenticate yourself (and that use of sudo is logged).
Hey, if it is real they could name it Divorce - lol
Ok, so what do you all think? Bruce?
Note, this is off the top of my head, I've been thinking about this only since I learned of it yesterday.
One, only one small AV company is making this breathless announcement. All of the big players in the field are conspicuous by their absence, so far, though I've not gotten into the news yet this morning.
Two, the threat posed by this concept is real, I believe, though probably not as dangerous as they're making it seem. The trojan works via the way OS X handles data files with resource forks, so you would have to send this via a compressed file to work.
Ironically, it tricks the user in exactly the same fashion I was deriding Microsoft for just yesterday...the program shows an data file icon, but it's really an executable.
Here is a screenshot of a proof-of-concept implementation (which has been linked in many of the stories on the net), note the icon looks like a iTunes MP3 file, but notice, it's listed as an application.
< http://oscar.pharmacy.arizona.edu/miscjunk/Trojan_poc_finderview.pdf> IN OSX this is the only way you would detect this.
Now while this is supposed to show the danger, by popping up a window saying something like 'This could be dangerous' then playing the real MP3, it does not work under iTunes 4, at least, because it apparently isn't paying attention to the resource fork, but looking into the file, finding the MP3 data and playing it. There's also the possibility that the proof-of-concept is flawed, as well, and simply doesn't work.
It's possible that this trick will only work with Carbon-based programs under OS X, I'm not sure.
Under OS 9, I don't know, either, but it might work.
In theory, this concept could have probably worked all along on macs, since the basic mechanism of File type/ creator and data/resource forks has existed in the OS from the beginning.
This is certainly a security problem Apple *should* fix, by showing the icon based on file type AND the creator, and letting file type override in case of a disconnect, as here (where you have an Application file type, and iTunes creator.)
That would give this file a generic executable icon, which ought to clue in users that it's not the hot new Britney Spears tune...
Oh, and while I'm deriding Microsoft: Technically, data files should NOT contain resource forks, as those are where program elements like menu definitions, custom icons, dialog definitions, etc etc, are stored, and those are only used by programs. One of the biggest violators of this rule? Microsoft, who sticks a dmaned resource fork on every Word document. It's not even *necessary* because the information stored there is also in the file (which is why PC's and Macs can open each other's Word files seamlessly) which would make, yup, you got it, Word files ideal vectors for a real virus like this....
--
"Wherever you go, there you are." - B. Banzai, Ph.D. Bruce Johnson
-- PCI-PowerMacs is sponsored by <http://lowendmac.com/> and...
Small Dog Electronics http://www.smalldog.com | Refurbished Drives | -- Sonnet & PowerLogix Upgrades - start at $169 | & CDRWs on Sale! |
Support Low End Mac <http://lowendmac.com/lists/support.html>
PCI-PowerMacs list info: <http://lowendmac.com/lists/pci-powermacs.shtml> --> AOL users, remove "mailto:"; Send list messages to: <mailto:[EMAIL PROTECTED]> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive:<http://www.mail-archive.com/pci-powermacs%40mail.maclaunch.com/>
Using a Mac? Free email & more at Applelinks! http://www.applelinks.com
