Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Worm Claimed For Apple OS X

kdawson posted about 7 years ago | from the apple-trees-have-roots-too dept.

Worms 398

SkiifGeek writes "Controversy is slowly building over the development of a claimed new worm that targets OS X systems, dubbed by its inventor Rape.osx. Using a currently undisclosed vulnerability in mDNSResponder, the worm is said to give access to root as it spreads across the local network. As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm. While the worm has yet to leave a testing environment (with 1,500 OS X systems), it is bound to join the likes of Inqtana and Leap as known OS X malware."

cancel ×

398 comments

rape.osx is fitting (0, Funny)

Anonymous Coward | about 7 years ago | (#19894761)

But if I were the guy, I'd have made a virus and called it AIDS.osx.

Re:rape.osx is fitting (0)

Anonymous Coward | about 7 years ago | (#19894897)

pools closed.

never forget.

Re:rape.osx is fitting (1)

miscz (888242) | about 7 years ago | (#19894913)

not to mention misspelled "raep'

Hey, be nice now! (4, Funny)

Anonymous Coward | about 7 years ago | (#19894905)

It's not a flaw; it's a feature. Remember, things are a little different in the Apple world ;)

---===MOD's! See This!!===--- (0)

Anonymous Coward | about 7 years ago | (#19895123)

Mod parent funny. I got a laugh.

mod parent up (-1)

Anonymous Coward | about 7 years ago | (#19895619)

mod parent up

worm in apple? (4, Funny)

linuxmeltz (815217) | about 7 years ago | (#19894793)

Hey, there's a worm in my apple...

Re:worm in apple? (5, Funny)

Anonymous Coward | about 7 years ago | (#19894873)

... which is much better than half a worm!

Re:worm in apple? (3, Funny)

dotpavan (829804) | about 7 years ago | (#19894891)

when God (Gates) specifically asked you NOT to eat the Apple (Inc), you should have listened :)

Re:worm in apple? (3, Insightful)

catwh0re (540371) | about 7 years ago | (#19894993)

While I have no doubt that worms etc can be created for OSX (or any OS, given enough time.) I'm not really fond of companies blowing their trumpet until they're certain. It's very rich to claim all that publicity without notifing the vendor, or even being 100% certain. Otherwise it comes across as yet another company that is trying to claim solely for the benefit of the massive attention that it will draw on the company. Whether it's a fiasco involving wifi hardware or an antivirus company claiming endless vulnerabilities to sell their "protection tools". The apple community is well versed in frauds and half-truths spun as a "massive vulnerability" who cry wolf.

Re:worm in apple? (-1, Flamebait)

Anonymous Coward | about 7 years ago | (#19895353)

Wow, that's quite a case of apple fanboiism you've got going there, buddy. You should really tone that shit down.

Re:worm in apple? (2, Insightful)

Maniac-X (825402) | about 7 years ago | (#19895453)

If by "well versed in frauds and half-truths" you mean well versed in spreading their own brand of propoganda and half-truths, then yes, you are correct.

Re:worm in apple? (1)

gnasher719 (869701) | about 7 years ago | (#19895063)

Who modded this as funny? It might have been funny in 1978, but most people thought the joke was a bit old back then.

When it's too late (-1, Troll)

Anonymous Coward | about 7 years ago | (#19894811)

When the niggers raped the women I remained silent because I wasn't a woman
When the niggers raped the children I remained silent because I wasn't a child
When the niggers raped the other niggers I remained silent because I wasn't a nigger
When the niggers raped me, I couldn't speak because there were 4 black cocks in my mouth.

Ow, my ass hurts and my jaw is broken.

Re:When it's too late (-1, Troll)

Anonymous Coward | about 7 years ago | (#19895043)

Here's a 5th:

8======O ~ ~ ~ ~ nigga dick

pfft (0)

jfekendall (1121479) | about 7 years ago | (#19894875)

I thought Apples didn't get worms. (sarcasm)

Re:pfft (0, Funny)

Anonymous Coward | about 7 years ago | (#19894929)

You're insightful. (sarcasm)

It doesn't (3, Interesting)

SuperKendall (25149) | about 7 years ago | (#19895093)

Doesn't mean you can't build them. Just means none are released in the wild, true to this date.

Re:pfft (-1, Troll)

Anonymous Coward | about 7 years ago | (#19895219)

Exactly. Fuck Apple. And fuck Apple fanboys. Even toy computers can get "raped".

HA HA

Time to pour out a 40 (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#19894877)

For my Brazilian homies that aint with us no more.

That's not true... (2, Funny)

oogoliegoogolie (635356) | about 7 years ago | (#19894881)

That's impossible!

Re:That's not true... (1, Funny)

Anonymous Coward | about 7 years ago | (#19894971)

Search your feelings, you know it to be true. D.V.

Re:That's not true... (1)

iluvcapra (782887) | about 7 years ago | (#19895149)

"NO!!!!! NO!!!!!"

(it was a lot sillier when Hayden Christianson said it)

Re:That's not true... (1)

Bemopolis (698691) | about 7 years ago | (#19895227)

And even sillier when he said it Chinese...

"DO NOT WAAAANNNTTTT!!!!"

Re:That's not true... (1)

tc3driver (669596) | about 7 years ago | (#19894987)

Nothing is impossible...

improbable... but not impossible ;)

We all knew it was only a matter of time before there were vulnerabilities found.

Time to cook that apple ;)

Ron dies. Lupin dies. Percy dies. Voldemort dies. (-1, Offtopic)

Anonymous Coward | about 7 years ago | (#19894921)

Details aren't needed. Just say BELLATRIX KILLS RON!

Snape's loyalty? I found this to be the saddest part of the book. As many people guessed, all was not what it seemed with Dumbledore, and the two did indeed have a plan that would eventually result in Snape killing him. But, Snape was only in on things for personal gain, and when Voldemort learns of this, he is obviously furious with Snape. Snape tries to make up for things by luring Harry to him, but Harry manages to escape, and Voldemort kills Snape before the final conflict.

I don't know what all these rumours are about Voldemort kidnapping Ron, it's a complete lie. Ron is killed by Bellatrix Lestrange in The Battle of Hogwarts, but Neville manages to finish off Bellatrix after Ron weakens her before his death.

Harry is not a horcrux.

As I've already stated, Voldemort kills Snape.

Voldemort is killed in the Department Of Mysteries. He baits Harry about his parents, Sirius, Dumbledore and Ron. which turns out to be the worst thing Voldemort could have done. As Voldemort steps out into the circular bit with many doors, Harry opens the locked door, and Voldemort is destroyed by the blinding light, which heals Harry, who seems close to death (he does not die).

The cover art shows Voldemort + Harry at the Deathly Hallows, Harry is attempting to summon Voldemort's Horcrux, as Voldemort is doing his best to keep the enchantment in place.

Re:Ron dies. Lupin dies. Percy dies. Voldemort die (0)

Anonymous Coward | about 7 years ago | (#19895019)

and he ends up [ytmnd.com] married to a GINGER!

*ahem* (5, Insightful)

Duncan3 (10537) | about 7 years ago | (#19894953)

As with a number of recent Apple-related security discoveries, the author, InfoSec Sellout, is delaying reporting the vulnerability to Apple until after completing full testing of the worm.

If by fully testing you mean "auctioning it to the highest bidder" then yea.

Re:*ahem* (0)

QuantumG (50515) | about 7 years ago | (#19895195)

1. Not sure who would buy it.
2. Why is that bad? Who should get it, the lowest bidder?
3. As one of the few people even bothering to look for security issues on Macs, I guess he has the market cornered.

temporary work-around (4, Informative)

mzs (595629) | about 7 years ago | (#19894961)

Disable mDNSResponder:

sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist

Re:temporary work-around (4, Informative)

dch24 (904899) | about 7 years ago | (#19895157)

Very good. That might disable the security hole, if what has been disclosed so far is 100% accurate. If not, well, all you lose is Bonjour (useful for discovering iChat and iTunes connections on your local subnet).

I question the ethics, and my legality (4, Insightful)

Swift2001 (874553) | about 7 years ago | (#19894973)

First of all, if he's found a real vulnerability, he reports it. I don't care if it's Apple or Linux or even Windows. "Waiting until I finish it" is a disgusting excuse. Will he sell it to the bad guys? Is this free publicity for some jerk? I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.

Re:I question the ethics, and my legality (5, Insightful)

Tobenisstinky (853306) | about 7 years ago | (#19894995)

Good idea. However, a serious discussion on /. is unlikely.

Re:I question the ethics, and my legality (1)

sokoban (142301) | about 7 years ago | (#19895021)

Will he sell it to the bad guys? Is this free publicity for some jerk?
To answer your questions:

Yes and yes.

Re:I question the ethics, and my legality (5, Funny)

Mr. Flibble (12943) | about 7 years ago | (#19895077)

I think the Slashdot world ought to have a serious discussion of this kind of jerk. I think Congress might to. If what he's doing isn't illegal now, maybe it should be.


I agree. We should also question the ethics of Theo de Raadt. After all, this guy published an exploit for OpenSSH. Who does this guy think he is? Hell, he should have given the problem to the developers of OpenSSH to fix it, not be out there releasing exploits and stuff.

Re:I question the ethics, and my legality (4, Insightful)

samkass (174571) | about 7 years ago | (#19895447)

I'm sure you're trying to be sarcastic, but it would DEFINITELY be a good idea to include everyone from your random teenage mom's basement hacker to Theo de Raadt in the discussion. Just because someone has done great things for the community it doesn't mean he's going about addressing exploits in the best way.

Re:I question the ethics, and my legality (0, Insightful)

Anonymous Coward | about 7 years ago | (#19895101)

I don't care if it's Apple or Linux or even Windows.

I want to give you the benefit of the doubt, but your post really reads like you're an irritated Mac fanboy. Congress? Illegal? Give me a fucking break!!

Re:I question the ethics, and my legality (3, Insightful)

QuantumG (50515) | about 7 years ago | (#19895117)

Sounds like a great plan. Make it compulsory to report vulnerabilities eh? Maybe even ban the selling of vulnerabilities. Kinda makes you wonder why any third party would bother looking for them.

Re:I question the ethics, and my legality (4, Insightful)

QuietObserver (1029226) | about 7 years ago | (#19895233)

From my point of view, the original argument never said anything about making vulnerability reporting compulsory, but that concealing a vulnerability is morally reprehensible, and claiming to keep a vulnerability secret until an exploit is finished is a disgusting excuse.

Re:I question the ethics, and my legality (1)

QuantumG (50515) | about 7 years ago | (#19895277)

Why do you think concealing a vulnerability is morally reprehensible?

Some people think revealing a vulnerability is morally reprehensible.

Some people think not revealing a vulnerability to anyone but the person who made the damn thing in the first place is morally reprehensible.

You can't just make a blanket statement about a complex issue like this and assume we all know what your position is.

Re:I question the ethics, and my legality (5, Insightful)

fox1324 (1039892) | about 7 years ago | (#19895245)

If what he's doing isn't illegal now, maybe it should be.


Maybe it shouldn't be. There are hundreds of /. threads filled up with complaints about the US government and legal system. Our rights are constantly eroded by attempts to 'legislate morality'. Repeat with me: just because something is unethical or immoral does NOT mean it needs to be illegal. Ethics and morals are nothing more than opinions, and they vary greatly from person to person.

Neglecting to report a vulnerability is not remotely criminal, no matter how much you disagree with his motivation.

Re:I question the ethics, and my legality (0)

Anonymous Coward | about 7 years ago | (#19895311)

While I agree with you that ethically he should inform Apple as soon as he knows about it how would you logically legally force him. What laws would congress make to stop him from keeping it to yourself?

A law stating you must give any information to a company that desires it? That certainly won't hold up anywhere.

A law not allowing one to search for these bugs in the first place? Really big mistake there, then the only people that will know about insecurities are the people up to no good.

Simply put we as a society should perhaps bombard him with annoying emails to do the ethically correct thing but there is no way that we could use a legal method to force the information out of him before he wishes to give it.

Re:I question the ethics, and my legality (1)

QuantumG (50515) | about 7 years ago | (#19895351)

Can you state why you think it is the ethical thing to do? I mean, it doesn't take a genius to find a security vulnerability. Apple are quite capable of discovering it themselves. Why should he be ethically required to do Apple's job for them?

Re:I question the ethics, and my legality (1, Insightful)

Anonymous Coward | about 7 years ago | (#19895477)

Finding a bug in software and reporting it I think of as similar to the situation where you are walking down the street and you see someone drop something of theirs and they don't notice, being a person of good ethics, you inform that person that they dropped it, and maybe get it for them and return it to them. Same here, he found a bug and has gone and shown off that he got it, he should really explain it instead of flaunting knowledge. There is certainly no need to rush, but it would of course be nice if he shared his findings with those who (I assume so anyway) worked hard to make the software.

Re:I question the ethics, and my legality (1)

QuantumG (50515) | about 7 years ago | (#19895583)

Dude, they're a company. They have a responsibility to make a product that is as free of defects as possible. He has no responsibility to them. If you were making this argument for, say, the Linux project, I can see where you're coming from. The Linux developers make something great and they give it away. But Apple ain't no charity.

As great as arguing from analogy can be, it's really a weak form of emotional badgering. Make a real argument.

Re:I question the ethics, and my legality (0)

Anonymous Coward | about 7 years ago | (#19895697)

I guess I'll stay here in Linux land then, people seem to be more cooperative on both sides of the bug report :)

Re:I question the ethics, and my legality (-1, Troll)

Alcoholic Synonymous (990318) | about 7 years ago | (#19895367)

Making a fully developed proof of concept worm to show all the iTards that their "invincible" attitude is as retarded as they are should be illegal? More power to the guy. He's making sure it's nasty enough for Apple and their fanbois to no be able to blow off, a real threat. I would have given no warning or announcement at all, just set it free (which already is illegal). The iTards need a good iSmack like this to make them iSTFU. I'm quite sure Apple will outbid whoever just to bury this and pretend that OSuX has never had any holes. Pretty much like the same as they already do.

(I know, I "lie", Apple has never had a single virus or worm ever. Yesterday's article on the on Elk Cloner's 25th anniversary was also a lie. And Steve Jobs is really is iJesus.)

Re:I question the ethics, and my legality (1)

Maniac-X (825402) | about 7 years ago | (#19895479)

It's only illegal if he infects other peoples' computers with it. If he's only using it in his own testing environment, there's nothing illegal about it at all.

Tipping the scales? (5, Insightful)

dsdtzero (137612) | about 7 years ago | (#19894979)

The fact that the breaking news on slashdot is "someone found the third way to attack a mac machine" is a compelling argument to purchase a mac over a PC. Unless someone can explain to me how this is the seed of an impending snowball of mac-targeted malware.

Re:Tipping the scales? (4, Insightful)

Daniel Dvorkin (106857) | about 7 years ago | (#19895145)

Yes, exactly. Three proofs of concept vs. thousands, maybe millions, of vulnerabilities in the wild.

The author claims, "While it is nothing special compared to Windows based Malware it does prove a point -- Apple Computers are just as susceptible to Malware as Windows based ones." Oh, bullshit. The fact that this particular security vulnerability exists does not mean that OS X is just as much a wide-open target as Windows is.

In the "Classic" MacOS days, there was a fair amount of Mac malware -- never as much as in the PC world, of course, but plenty of it running around. Since OS X became the standard, this hasn't happened. The "vulnerability through popularity" argument just doesn't hold up to this fact.

Re:Tipping the scales? (2, Interesting)

timmarhy (659436) | about 7 years ago | (#19895209)

the number of vulnerabilities is irrelvant, what matters is how easily it spreads and what it's payload is like.

IF this is real, and it can spread quickly and cause maximum damage then it's just as bad as windows, because the end result is an unsafe system.

Re:Tipping the scales? (0, Redundant)

Maniac-X (825402) | about 7 years ago | (#19895515)

There's a reason for that. ~90%+ of computers on earth are running Windows, while it's estimated that Macs control about 2.5% of the market. If you're writing malware to hurt people, do you want to do it to a very small minority? No, you want to go after the big group, because you get the most victims that way.

Re:Tipping the scales? (3, Interesting)

toadlife (301863) | about 7 years ago | (#19895775)

In the "Classic" MacOS days, there was a fair amount of Mac malware -- never as much as in the PC world, of course, but plenty of it running around. Since OS X became the standard, this hasn't happened. The "vulnerability through popularity" argument just doesn't hold up to this fact.
Why not? OSX has never had nearly the same install-base that classic Mac OS did during it's heyday, and of all the predominant methods that malware spreads simply can't work on OSX like they do on Windows because there are not enough potential hosts.

Take the classic email based worm for example. Given that only about 4-8% of computers run OSX, how would an email worm spread on Macs? If you sent it to 100,000 email addresses you'd be lucky if 8,000 OSX users received the email. If 50% of those 8000 OSX users fell for it and executed the payload, the worm would have to find 25 new email addresses that belong to uninfected OSX users in order to maintain it's population. Otherwise he number of new infections would decrease exponentially until the worm became extinct.

The 50% infection rate and number of new email addresses required per infected host are both unrealistic IMO. More realistic numbers would only serve to further prove my point - that spreading malware to OSX computers is virtually impossible.

Network borne malware is a different story, but that's become an almost non-issue since Windows XP SP2 came out and enabled the firewall by default.

Re:Tipping the scales? (0, Redundant)

Cal Paterson (881180) | about 7 years ago | (#19895307)

No, that's just not how it works.

The fact that it is breaking news is because of the oft cited claim that Macs' are not susceptible to viruses; not because they are actually secure and this is an unexpected attack. Apple do not engage in anywhere near the level of testing or release engineering to actually be secure - they're secure for the same reasons that Windows is secure: obscurity.

It's just that their market share has recently become high enough for them to become a target of virus writers, not because they are better designed.

Re:Tipping the scales? (2, Insightful)

NatasRevol (731260) | about 7 years ago | (#19895549)

I really think this argument should be given a name, something along the lines of Godwin's law.

Perhaps Paterson's folly?

Re:Tipping the scales? (0)

Anonymous Coward | about 7 years ago | (#19895803)

If by folly you mean truth, then yeah, that would work.

Re:Tipping the scales? (0, Troll)

QuantumG (50515) | about 7 years ago | (#19895397)

Maybe because there was only 3 people looking for Mac vulnerabilities?

And each of them found one.

Poor Apple writers (-1, Troll)

eebra82 (907996) | about 7 years ago | (#19894997)

I guess 3/4 of Jobs' next WWDC speech must be rewritten now.

Windows affected? (5, Interesting)

nuckin futs (574289) | about 7 years ago | (#19895007)

exactly what vulnerability in mDNSResponder is it exploiting? Since mDNSResponder also runs on windows if you install bonjour for Windows, does that mean it can possibly be affected too?

Probably similar (0)

mbessey (304651) | about 7 years ago | (#19895213)

The actual exploit code would need to be different for Windows than for Mac OS X, but it's a safe bet that the underlying vulnerability (buffer overflow or whatever) is present in Bonjour for Windows, as well.

Re:Probably similar (1)

Rosyna (80334) | about 7 years ago | (#19895393)

but it's a safe bet that the underlying vulnerability (buffer overflow or whatever) is present in Bonjour for Windows, as well.
Does mDNSResponder on Windows implement UPnP? At least, I figured Windows would have its own UPnP stack.

Re:Probably similar (2, Interesting)

larry bagina (561269) | about 7 years ago | (#19895395)

not necessarily. In 2002, there was a zlib vulnerability found (involving memory being freed twice). Windows was not affected since it safeguards against double freeing memory.

Controversy? (1)

ChromeAeonium (1026952) | about 7 years ago | (#19895011)

Is there controversy over the fact that someone is making, testing, improving, and preparing a worm that could be used to infect systems, or controversy because Macs can be infected by this worm?

Re:Controversy? (1)

snowgirl (978879) | about 7 years ago | (#19895191)

No, it's controversial like the TV definition. Namely, "we just want you to talk about it."

Seriously, ever ad for an episodes of Bones or House MD that I saw on TV were: "Tonight on a controversial all-new Bones..."

Can this travel via "broader network segment"? (2, Interesting)

Anonymous Coward | about 7 years ago | (#19895013)

While InfoSec Sellout states that the worm only seeks out other systems on the same network for infection, they point out that it is not going to take much extra work for the worm to attack a much broader network segment.

It's my understanding that the daemon in question works only on the LAN and is part of Bonjour/Rendezvous/Zeroconf/Avahi.... if this is the case, assuming a decent firewall, aren't you only vulnerable within your own local network?

Re:Can this travel via "broader network segment"? (5, Interesting)

greed (112493) | about 7 years ago | (#19895495)

Sure, get infected on the school's lab LAN. Bring your iBook oops MacBook to the coffee shop and get everyone else there. They all go home and infect their room-mate's machines. Who go to a different lab and it gets loose on the LAN there.

Most laptops aren't isolated to a single LAN these days; they move around. If there really is a flaw in mDNSResponder, then such a worm does have a chance to propagate. Especially if it is subtle and doesn't crash or overload machines, or do insane amounts of network I/O, or any of the other things that cause people to think something's wrong.

Re:Can this travel via "broader network segment"? (1)

NatasRevol (731260) | about 7 years ago | (#19895621)

True. For now, zeroConf is not passed on at the router. However, they are working on an implementation of zeroConf that does get passed across the router. Hopefully, they'll check more closely now on that version for buffer overflows before approving it.

Okay... let me get this straight... (4, Insightful)

Penguinisto (415985) | about 7 years ago | (#19895037)

Serious question here:

Somebody writes a worm for OSX that works across a specific test network (of which we have no clue as to settings, layout, patch levels, etc etc), and it's really, really, really big news. Media orgs around the planet sound the klaxon, and (nearly) everyone gets all hyper-ventilated. Claims of "OSX is just as vulnerable!!!1111!!" will fly off the pages.

Meanwhile, the next near-periodic iteration of MSFT-specific malware in-the-wild will get not so much as a grunt outside of security circles (such as SANS ISC and F-Secure's blog as ferinstances). It will likely subvert 40x as many victims in its first hour, and the media won't say so much as 'boo' about it.

Perspective (at least outside of security and some geek circles)? Never heard of it.

/P

Re:Okay... let me get this straight... (1)

Dan_Bercell (826965) | about 7 years ago | (#19895115)

The reason is because Apple (and Linux) users are not effected by Viruses and Worms or at least that is what vendors claim. MS never claimed that Windows was not vulnerable. They do claim that Vista is not 'as' vulnerable, which is true, but only until it is the most used OS...which is the same as every OS.

Re:Okay... let me get this straight... (5, Insightful)

BlueDjinn (513272) | about 7 years ago | (#19895231)

I don't know of a single Mac user or vendor who has ever claimed that OS X is *COMPLETELY* invulnerable to viruses/etc, only that there hasn't been a demonstrable, malicious, in-the-wild true OS X virus released YET, which is true.

Major difference. In fact, every Mac user I know expects a "true" virus or two to show up for OS X sooner or later, but what of it? So the ratio will go from a bazillion to zero to a bazillion to one or two.

Apple has roughly a 2.5% worldwide market share--wake me when they have anywhere close to 2.5% as many viruses as Windows and I'll start being overly concerned.

Re:Okay... let me get this straight... (1, Interesting)

Anonymous Coward | about 7 years ago | (#19895373)

"I don't know of a single Mac user or vendor who has ever claimed that OS X is *COMPLETELY* invulnerable to viruses/etc, only that there hasn't been a demonstrable, malicious, in-the-wild true OS X virus released YET, which is true."

perhaps you have completely missed all Apples marketting marterial lately?

Re:Okay... let me get this straight... (1)

Aqua OS X (458522) | about 7 years ago | (#19895445)

Well, to be fair, nothing has spread around in the wild that has widely effected Mac OS X users. The only times I've even seen an "infected" OS X box it was a result of me intentionally downloading lame proof-of-concept malware. Even then, those security holes were likely plugged by Software Update within a few days. And unlike WIndows Update, OS X's Software Update isn't god awful and annoying, so many Mac users actually use it.

I could be wrong, but I don't think Apple has ever stated that OS X is immune to malware. Apple has stated that OS X is not vulnerable to Windows malware, which is obviously true. Moreover, Apple has stated that OS X has never really had anything floating around in the wild that has affected any notable number of people.

Re:Okay... let me get this straight... (2, Interesting)

samkass (174571) | about 7 years ago | (#19895513)

You make a good point. The fact that there is not a single virus or worm in the wild for MacOS X probably does make this bigger news (assuming the unsubstantiated report is real and it ever makes it into the wild) than it would otherwise be. I'm not sure how much Apple's statements on the matter really affect it, but the fact that someone succeeded in creating such a worm for MacOS X really is pretty big news, I guess. That is, as long as the news organizations don't try to portray MacOS as being as vulnerable as Windows.

Re:Okay... let me get this straight... (1, Insightful)

Aaron England (681534) | about 7 years ago | (#19895129)

The Apple fans can't eat their cake and have it too. If Apple is going to market their product as one that is a secure alternative to Windows, then they must accept being held to a higher standard and all the scrutiny that comes with it. In fact, they ought to welcome it.

Re:Okay... let me get this straight... (3, Insightful)

Trillan (597339) | about 7 years ago | (#19895169)

I don't see any suggestions this be buried, only that it be kept in perspective. (Which, I'll grant, is impossible.)

Re:Okay... let me get this straight... (1)

PhotoGuy (189467) | about 7 years ago | (#19895381)

It's a really big story, because of how unusual any exploit on OS/X is (even without knowing the details, it's a big story), not because it means OS/X is insecure....

Is mDNS even routable? (4, Interesting)

MBCook (132727) | about 7 years ago | (#19895089)

I was under the impression that mDNS was not routable (and specifically designed not to be routed). If that is true, doesn't that restrict this to propagating to computers on the same subnet? This could effect a business, or a computer lab (say at a university), but this fact should prevent it from spreading around the internet at large (as various Windows worms have).

It's a bug, it's a problem, but it's no Blaster by a long shot.

Re:Is mDNS even routable? (4, Insightful)

dch24 (904899) | about 7 years ago | (#19895183)

Bundle it with a Windows worm. Exploit Macs on the same subnet as Windows boxes. Then the infected Macs scan for vulnerable Windows boxes and spread the infection. Every vector is useful in an attacker's bad of tricks.

Re:Is mDNS even routable? (1)

mzs (595629) | about 7 years ago | (#19895343)

mDNS uses the link-local multicast address 224.0.0.251. Link local addresses should not be routable, but there is always the possibility of some routers being misconfigured, most likely because some idiot that does not know better wants Bonjour to work across subnets without simply using DNS correctly.

Re:Is mDNS even routable? (1)

zrq (794138) | about 7 years ago | (#19895533)

Once a laptop gets infected, could it spread accross a wireless network that the laptop is connected to ?
All the machines connected to a public wireless access point will probably be on the same subnet.

Sort of like the early viri that were spread by floppy disk, they required a human carrier to transfer an infected disk from one machine to another.
This one requires a human carrier to transfer an infected laptop from one network to another.

Re:Is mDNS even routable? (4, Informative)

anticypher (48312) | about 7 years ago | (#19895563)

Multicast packets are routable, if the upstream routers support dealing with multicast packets correctly.

mDNS/bonjour/zeroconf detects if a packet has crossed a router by setting the originating TTL to 255. If a multicast packet crosses a router, the TTL is supposed to be decremented, and zeroconf is supposed to ignore the packet as it is no longer considered local. Many suppositions there, as implementations vary.

Worse, starting with a TTL of 255 means that the packets will be able to go anywhere on the internet where multicast packets can get routed. Better protected carriers will drop multicast packets with TTLs greater than 64 or 128, specifically to limit mDNS/zeroconf traffic while allowing reasonable traffic to flow. Most ISPs don't have the technical competence to deal with multicast, so they just block it, which will limit any spread of an mDNS worm.

However, just because mDNS/zeroconf will ignore packets with TTL less that 255, doesn't mean that a buffer overflow bug isn't being treated by the protocol stack. Take a wait and see attitude on this disclosure, as it appears to be an extortion attempt rather than something from legitimate sources.

the AC

Excellent response (1)

theolein (316044) | about 7 years ago | (#19895685)

My take on it as well. The wording of the claim site is somewhat dubious.

Local network only - depends on mDNS (3, Interesting)

mbessey (304651) | about 7 years ago | (#19895137)

So, not quite like the Internet-spanning, DDOS-producing Windows worms we've come to know and hate. I'm not too surprised the vulnerability was in MDNSResponder, though. Someone I work with found a few problems in the code when running it on Linux.

Market share? (3, Insightful)

Dan_Bercell (826965) | about 7 years ago | (#19895139)

I havent really looked at the market share percentages of OSes recently, has Apple really grown large enough for Virus makers to start targeting Apple?

Flamebait? (1)

Dan_Bercell (826965) | about 7 years ago | (#19895467)

I was being serious!

Flamebait WTF? (1)

theolein (316044) | about 7 years ago | (#19895581)

Y'poor bastard, Apache has a larger share of the web server market than IIS, and is just as often targeted, but is more secure. Your question, however, is about targeting, and you're spot on. Mac users are singularly useless when it comes to security. You got modded flamebait by an overzealous dickwad Mac user (and I use Macs m'self)

Who's paying him? (1)

sokoban (142301) | about 7 years ago | (#19895151)

I'm guessing Matasano Security is paying him for this vulnerability.

They're the ones who challenged Joanna Rutkowska about her bluepill (see the "Hi Joanna" quote on the blog), and have had contact with infosec sellout in the past.

Check the source code anyone? (0)

Anonymous Coward | about 7 years ago | (#19895193)

Given that the claimed vulnerability is in mDNSResponder, whose source [apple.com] is available under the Apache-2 license [apache.org] , and that we have a hint of what the vulnerability is ("proof-of-concept worm was able to reliably deliver root and was based on a variation of mDNSResponder vulnerabilities that Apple had previously patched" - the only one that I could think of was CVE-2007-2386 [nist.gov] ) someone far smarter than I could find and patch the vulnerability before InfoSec Sellout's work is complete. Isn't F(and/or)OSS great?

Apple Coded (0, Troll)

Nikron (888774) | about 7 years ago | (#19895285)

It seems to me that the vulnerabilities in OSX will keep increasing as they keep layering stuff over their BSD core. It seems to me their kernel and lower level stuff is widely tested and secure, since you can see most of its source. However, software that they keep pushing out to improve OSX will probably be just as vulnerable as any of Microsoft's stuff.

Re:Apple Coded (0)

Anonymous Coward | about 7 years ago | (#19895329)

Jesus Christ! Do you want to get modded down?

Re:Apple Coded (5, Informative)

Trillan (597339) | about 7 years ago | (#19895417)

mDNSResponder is open source.

Re:Apple Coded (0)

Anonymous Coward | about 7 years ago | (#19895677)

Appropriate sig :-)

3 known exploits.... (1)

gsfprez (27403) | about 7 years ago | (#19895359)

200,783 to go...

Root Account Disabled... (1)

sjmacko29 (648740) | about 7 years ago | (#19895531)

Isn't the root account disabled by default on OS X systems? I wonder how the worn handles that... Just curious. I have never **cough cough** enabled the root account on my Macs.... Most likely, it will go after any account with admin rights? Steve

Re:Root Account Disabled... (0)

Anonymous Coward | about 7 years ago | (#19895703)

Normally, yes, root is disabled by default unless you jump through several hoops to allow it to be enable root. However it is careless person that these malware go after so like on a standard configured Windows is is vulnerable to attack by malware. Better check your NetInfo Manager to make sure now.

Re:Root Account Disabled... (3, Informative)

Mr2001 (90979) | about 7 years ago | (#19895741)

No, just because you can't log into the account doesn't mean it doesn't exist. Type "sudo sh" and enter your password - presto, you're running a shell as root. Exploit any service running as superuser and you can do the same thing.

Ubuntu (0)

Anonymous Coward | about 7 years ago | (#19895575)

Rumour has it there are some fairly major Ubuntu virus programs on the horizon. (Targeted for September "back to school" time.) I wonder what slashdot will have to say about that.

Have mDNSresponder run without root privileges (5, Informative)

e. boaz (67350) | about 7 years ago | (#19895739)

If this is a real concern, there is a workaround to have mDNSResponder run without root privileges. Part of the claim is that they can deliver root payloads - this is likely because mDNSResponder runs as the root user and they might be using a buffer overflow exploit [NOTE: I have not analyzed the mDNSResponder code - this is a guess.]

% sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist
% sudo chown nobody:wheel /usr/sbin/mDNSResponder
% sudo chmod 4750 /usr/sbin/mDNSResponder
% sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSRespon der.plist

If someone wants an explanation of what the above commands accomplish, please read further.
1. launchctl is used to unload and load the mDNSResponder daemon.
2. We change the owner of the mDNSResponder to nobody and ensure that wheel is the group. The group is used to ensure that members of the wheel group may launch mDNSResponder and not other users of the system (with the exception of root and anything else running as nobody.)
3. We change the permissions of the mDNSResponder program to be setuid nobody. This means that mDNSResponder will run as nobody and only be able to affect files owned by that account or by files it may happen to have write privileges against.

Re:Have mDNSresponder run without root privileges (1)

e. boaz (67350) | about 7 years ago | (#19895767)

I hit submit instead of preview. I've tested this on my system. mDNSResponder doesn't seem to be affected in an adverse way by this change. I can still resolve the hosts via the Bonjour domain (.local) on my subnet. I'll test this at work tomorrow more extensively since I have a /22 network of Mac's to play with...

BS alarm (0, Troll)

Rick Zeman (15628) | about 7 years ago | (#19895783)

Where on earth will those dweebs find 1500 Macs on the same subnet to test this on?

Right.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...