Print Story ATTN: Mac OS X Users
Do not enter your admin password when attempting to view a JPEG file.


First Mac OS X Virus, but only affects gullible morons.

Therefore, Mac OS X users are doomed! Doomed I say!

I find it quite interesting that while PC users are tempted with porn, Mac users are tempted with screenshots of the next version of Mac OS X.

Of course, since I only use my Apple computer as a UNIX workstation, I am immune from this derision.

< freelance diplomat | BBC White season: 'Rivers of Blood' >
ATTN: Mac OS X Users | 15 comments (15 topical, 0 hidden) | Trackback
Two points by gazbo (2.00 / 0) #1 Thu Feb 16, 2006 at 11:46:54 PM EST
First, as you correctly pointed out, needing to be utterly fucking stupid is a far cry from being safe.  The bagel worm for Windows demonstrated that (you received a zip file that you had to save, then open, then extract the executable contents, then run).  Why are people so stupid?

Second, not running as root is FAR from a magic bullet.  If you're on a single user machine then being infected as the main user is no better than being infected as root: ask CBB if he'd rather a virus wiped out his OS, or all his project files (but as we all know, CBB is sensible enough to keep offline backups).

Furthermore, if you really wanted root, it probably wouldn't be that hard to obtain.  I am not a Unix programmer, but if I were to want to do such a thing then (ignoring trying a host of privilege escalation exploits) I'd probably just alias 'su' to run my own program, then infect whoever you've su-ed to before returning the expected shell.  Eventually (and probably immediately) you'd get root.

No, I don't know if this would be possible in OSX's graphical environment, but you can see where I'm coming from.  Does OSX do automatic updates a-la Windows that require admin passwords?  If so, that's an obvious program to spoof.

I feel the urge to be violent towards virus writers.


I recommend always assuming 7th normal form where items in a text column are not allowed to rhyme.

Auto-update by Evil Cloaked User (2.00 / 0) #2 Thu Feb 16, 2006 at 11:55:48 PM EST
Nice idea. Yes it does.

[ Parent ]
Any computer is going to be subject to viruses by Idempotent (2.00 / 0) #3 Fri Feb 17, 2006 at 12:07:45 AM EST
As long as the users don't understand how their OS works. So, viruses will be fine on OS X as well.

I would like to run every single program under a unique user which has no access to any file on the computer. When the user chooses a file from the system UI (which is done under the user's main UID) the other process gets temporary permission to read or write (as appropriate for the UI dialog).

That should cover most programs. For the ones which need to access a "database" of file, like say, iPhoto, have a system call which allows you to create a directory (in a well known place) which is reserved for that program. Nothing else can touch it, but that program has free reign.

Flaws?

It'd piss off power users, so you'd need an option to run stuff as your UID. But cover it with "do this, and you're fucking stupid if you're not absolutely sure what you're doing" dialogs.

[ Parent ]
Still the slight difficulty of "root" by gazbo (2.00 / 0) #4 Fri Feb 17, 2006 at 12:13:19 AM EST
I figure you're always going to need some kind of superuser who has permissions to access the kernel and its periphery in order to do OS updates.  And of course once the kernel is compromised anything goes.

I can't see any way around that, but then I confess to not having looked very hard.


I recommend always assuming 7th normal form where items in a text column are not allowed to rhyme.

[ Parent ]
Correct. by Idempotent (2.00 / 0) #5 Fri Feb 17, 2006 at 12:23:50 AM EST
But you can make it impossible to get to it without some big ass warnings. This simple "enter your password with no explanation why" stuff ain't good enough.

If you were just updating the OS, you could require signed executables. So only something signed by Apple gets to run as root, and it only updates things with signed stuff.

Of course, you need an option to turn it off, but for the stupid types who would fall for problems, it'd be fine. And you could cover it with huge warnings which specify exactly what circumstances you'd want to turn it off for.

[ Parent ]
How? by NoMoreNicksLeft (2.00 / 0) #6 Fri Feb 17, 2006 at 01:02:11 AM EST
How does this not raise the hairs on the backs of people's necks, when something like this is sent to them?

Does their spidey-sense not kick in?

I managed to run Windows 2000 until like '04 without even installing a servicepack or vulnerability patch. Never once got a piece of spyware, a virus, or any other crud.

And I didn't exactly stick to only the safe sites on the web, either.

Is there something in human nature that compels them to install some noname piece-of-crap mahjong clone that they found on google result #417 ? Do they have no choice but open that email promising farmsex pictures (when they could certainly find such pictures with GIS, and the only thing the purveyor would try to get from them in a subscription that is impossible to cancel) ?
--
Do not look directly into laser with remaining good eye.

Heh. by iGrrrl (4.00 / 1) #7 Fri Feb 17, 2006 at 03:14:19 AM EST
I find it quite interesting that while PC users are tempted with porn, Mac users are tempted with screenshots of the next version of Mac OS X.

Because to some Mac users, it is porn.  In my old lab I put a picture of one of the new Macs, the cube I think, with a post-it note to label it "Nerd cheesecake."

"Beautiful wine, talking of scattered everythings"
(and thanks to Scrymarch)

That is what scares me. by Idempotent (2.00 / 0) #10 Fri Feb 17, 2006 at 04:47:52 AM EST
The cube was a well funky design though.

[ Parent ]
hah! by iGrrrl (2.00 / 0) #13 Fri Feb 17, 2006 at 05:51:09 AM EST
You should have seen my gwee when the new G3 towers came out, and you could open them with a ring (and not a screwdriver).  It made installing our AD boards a five minute joy instead of a half-hour nightmare.  I wanted to go kiss the designers.  Of course, they got rid of it...

"Beautiful wine, talking of scattered everythings"
(and thanks to Scrymarch)

[ Parent ]
I'm not surprised. by Idempotent (2.00 / 0) #15 Fri Feb 17, 2006 at 07:58:50 AM EST
What with you trying to give them a good snogging and all that!

[ Parent ]
+1, Solid Advice by MohammedNiyalSayeed (4.00 / 1) #8 Fri Feb 17, 2006 at 04:41:29 AM EST

Not being a gullible moron, I'd not type my administrative password to see a JPEG. Actually, now that I think about it, the real reason I'd not type it is because no JPEG is worth that amount of effort. Kind of like how, if you go to a fast food restaurant and there's a line, you leave, because the food isn't worth waiting in the line.

Realizing that the company who "revealed" this sells security software, I see why they're abusing the term "virus" to describe something that doesn't self-replicate, self-propagate, or even self-install or execute. My disappointment lies with Mac malware authors; I mean, COME ON, DUDES! There are buffer overflows that could be exploited in QuickTime that allow for arbitrary shell command execution, and this is the best you guys can do? I suppose all the real malware talent on the Mac platform is too busy doing their dayjob to bother writing virii, leaving this responsibility to basement-dwelling, slashbot script kiddies. Sad, really. As a Mac user, I feel so, I dunno, ... left out.


-
You can build the most elegant fountain in the world, but eventually a winged rat will be using it as a drinking bowl.
Don't worry. by Idempotent (4.00 / 1) #9 Fri Feb 17, 2006 at 04:47:13 AM EST
Because of the move to Intel, all the virus writers will have pre-built shell code, and will just compile them for Mac OS X. So you'll get loads.

According to some self-serving anti-virus company.

[ Parent ]
Provided they can figure out by MohammedNiyalSayeed (2.00 / 0) #11 Fri Feb 17, 2006 at 04:51:05 AM EST

what pathnames to change to what. It's Rocket Science, I tell ya!


-
You can build the most elegant fountain in the world, but eventually a winged rat will be using it as a drinking bowl.
[ Parent ]
/sw !!! by Idempotent (2.00 / 0) #12 Fri Feb 17, 2006 at 05:46:09 AM EST
what not.

[ Parent ]
Heh by hulver (2.00 / 0) #14 Fri Feb 17, 2006 at 07:16:55 AM EST
But that would involve actually writing new shell code instead of just copying stuff from the phrack archives.
--
Cheese is not a hat. - clock
[ Parent ]
ATTN: Mac OS X Users | 15 comments (15 topical, 0 hidden) | Trackback