New OS X vulnerability found: worm released in lab?
Look, we're fine with Apple gloating about the security of OS X in their Mac vs. PC adverts. After all, we have yet to see a large-scale worm released into the Macintosh community. However, the fact that a worm hasn't been released on a Windows-esque scale likely has less to do with Apple's superior coding than the size of their market share, i.e., OS X is a smaller target. That might soon change, however. A vulnerability has reportedly been found and more importantly, exploited by an "independent researcher" known only as "InfoSec Sellout." Apparently, a previously undisclosed vulnerability in the OS X mDNSResponder (which Apple has patched before) allowed Sir Sellout to cobble together a worm dubbed "Rape.osx." InfoSec Sellout claims to have released the worm into a controlled environment thereby infecting a network of about 1,500 OS X systems by nabbing root and dumping a text file as an evidentiary foot print. However, the worm's author claims that it can be broadly weaponised with a payload of choice across both PPC and Intel-class Macs with just a bit more work. InfoSec Sellout will disclose the vulnerability to Apple only after his/her "research is complete" and after an appropriate level of compensation (er, InfoSec Ransom?) received. Dubious as that sounds, for better or worse, it's the way the game's currently played. [Via Slashdot]
Reader Comments (Page 1 of 2)
Xavier @ Jul 18th 2007 6:08AM
What an ingenious evil plan. That bastard!
*hugs blackbook*
David @ Jul 18th 2007 6:21AM
Not really that impressed.. Why even make a claim when all he's done so far is dump a text file?? Oh and what exactly does it mean "controlled enviroment". If it's 1500 macs sitting in a room that makes it even less impressive.. Lets see what kind of ransom he wants :P
Chip @ Jul 18th 2007 10:39AM
If you can get root and dump a text file, you can do anything.
Sageco @ Jul 18th 2007 6:23AM
Wow, that man is the evil i hope to emulate.
AbandonedHero @ Jul 18th 2007 5:38PM
You've already lost that battle, he's an anonymous pansy.
Sageco @ Jul 19th 2007 4:42AM
I don't mean emulate HIM, just his actions, with a few minor changers, most notably that i will reveal myself; whats the good of evil if people don't know it?
homer @ Jul 18th 2007 6:28AM
agreed, marektshare is a factor, but you guys are saying the inherent security of the OS has nothing to do with it? you guys are worse than cnet.
pinheads
Thomas Ricker @ Jul 18th 2007 6:32AM
Homer,
No, that's not what I said, read again.
Thomas
AeronPrometheus @ Jul 18th 2007 6:39AM
When you have to put quotes around "independant researcher" you're retaining almost none of what little credibility an article like this gets with intelligent people.
I think that if you hold the security of a program for ransom you're in the same bucket as a hacker or virus writer, the world and its progress has no need for you. Worms, Trojans, Viruses, and all kinds of expoits have been successfully created on OS X... In controlled environments, cause they never seme to work in the wild. And even then they have to cheat a little just to get a proof of concept to work.
OS X is secure because Apple cares about security. That's the big secret, people. The most recent reports puts Apple's market share at around 16%. And those figures are purposly undercut. For any one computer manufacturer to have that big a chunk of the market is a very good thing, and is no small target.
Keep doing your thing, Rape-man, you seem to need the attention. Although something tells me I won't have to worry about you when surfing the web... for the remainder of my time on Earth.
Nicholas FitzRoy-Dale @ Jul 18th 2007 6:45AM
Also, a quick glance at Bugtraq / full-disclosure / etc etc will reveal that this is *not* how "the game is played nowadays". Holding something like this to ransom is essentially black-hat behaviour imo, and not how the security community should, and mostly does, operate.
L. M. Lloyd @ Jul 18th 2007 11:36AM
Wow, Steve Jobs himself, when directly asked at All Things D, said their worldwide desktop marketshare was around 3%, yet you claim 16%! Now talk about the faithful. When even your hero says 3%, and you turn around and say that he is just being modest. I think you are confusing the fact that for a couple of quarters in the US, Apple has had 16% of laptop sales with their overall marketshare. You see, there are more computers out there than just laptops, and there are more countries out there than just the USA.
Will @ Jul 19th 2007 4:40PM
IDC announced in it's recent press release the Apple Market Share is now 5.6% for those of you bickering over what the stats are.
And OSX does not have YEARLY $150 updates. Heck, Leopard will be my first OS upgrade in 2 years, that's right...2 years. How long did you wait for Vista? Did you get all those drivers you need yet?
and why when OSX has the slightest possible security hole do Windows users already have to chime in. Your imaginary infinite Windows wisdom is not welcome in our Mac world. We've already learned from your mistakes...which you still continue to make.
Personally, I don't feel the slightest threat from an article on a anonymous person who tests in a closed environment and doesn't release a single detail about the setups or scope of the project.
Special_K @ Jul 18th 2007 6:51AM
I refuse to accept that Apple's small market share is the primary reason for the lack of worms for OSX. Do you know how much cred/satisfaction any self-respecting coder would get from creating a widespread worm for OSX? I'll do the math: a friggin' lot. Come on guys, here's a company that claims that it's impossible for its software to get viruses- practically begging people to prove them wrong. You'd think that somewhere along the way, someone would take them up on their challenge. OSX may not be a big target, but its reputation rides on its impenetrability, and saying "oh, no one cares about you guys, 'cause you're small and dumb lol!" only proves that you can't accept that there could be a world free of malignant software.
JC @ Jul 18th 2007 8:23AM
Well, apparently not. According to this article a coder *has* the potential of creating a widespread worm for OS X but would rather sell/give the info to Apple than release it in the wild. It's like you didn't even read the article.
Chip @ Jul 18th 2007 10:49AM
It's weird how OSx users want to tout security so badly that they're blind to vulnerability reports.
I ran a Linux webhost server for quite a while. If you install tried and tested software on it with proper permissions, keep up with current kernels and limit others from installing crap, it's pretty hardened.
Windows XP and Vista are also pretty secure if you don't do stupid stuff (and you know what I'm talking about).
If this claim is true, it is one of the very few reports as of late that can infect you without you doing anything. Apparently it doesn't exploit a browser, need to be installed or need to be an attachment to email.
L. M. Lloyd @ Jul 18th 2007 11:54AM
Many people have taken them up on their challenge, and done it successfully. People ranging from respected security consultants to black hat lowlifes have found and reported on numerous vulnerabilities and exploits on OSX. And every time someone does, the Apple damage control machine personally attacks them in an attempt to discredit them, crazy Macheads leave death threats on their site, and people like you start floating tripe like your post to minimize the importance of the newly exploited vulnerability. Then all the Macheads stick their head right back in the sand and go right back to parroting that there has never been a security breach on OSX, in complete denial of reality.
Jeff @ Jul 18th 2007 12:16PM
@ L. M. Lloyd - "...And every time someone does, the Apple damage control machine personally attacks them in an attempt to discredit them..."
you're so full of it. It's nice to imagine the evil apple spin machine, but seriously, that's a bunch of paranoid bullshit. Show me one example where that EVER happened, and if you point to the macbook wifi joker, then you truly are a fool.
CmpltDrk @ Jul 18th 2007 12:28PM
Hey everyone, it's Apple hatin' Lloyd!
L. M. Lloyd @ Jul 18th 2007 12:31PM
@ Jeff
Clearly I don't need to point out an example, since you are obviously aware of it. Apple PR, as you seem to well know, was actively involved in discrediting David Maynor and Jon Ellch, and went as far as to sign contracts with their employer to make sure they couldn't present their findings. This has all been documented several places including cnet and the Inquirer.
Just because you choose to side with Apple PR instead of the researchers, doesn't mean it didn't happen.
L. M. Lloyd @ Jul 18th 2007 12:35PM
@ CmpltDrk
I don't hate Apple, what I hate is the constant void of rational thought that surrounds any Apple, or for that matter Sony (just in the other direction) story. I get so sick of people authoritatively spewing complete crap, and everyone accepting it because it is popular crap.
peshue @ Jul 18th 2007 5:10PM
A large amount of nasty stuff that can get on your computer nowadays involves collecting information to be sold, there's no point in doing that on macs when there's much better prospects in doing it too pcs.
01 @ Jul 18th 2007 5:56PM
Wow LM Lloyd, both CNET AND the Inquierer reported this? Hell, all I need in the NY Post or the Washington Times to hop on this band of credible news sources and I'm sold...
NiGhTmArE @ Jul 18th 2007 7:17AM
I like the image.
deslock @ Jul 18th 2007 7:17AM
Quoting the blog entry:
> However, the fact that a worm hasn't been released
> on a Windows-esque scale likely has less to do with
> Apple's superior coding than the size of their
> market share
Do you have something of substance to backup that assertion?
My understanding is that OSX benefits from being a smaller target (to those that make money via spyware) but it's also an inherently more secure platform. It's not invulnerable and some day it'll get hit with a virus in the wild, but there's no reason to expect it to be overrun with them like XP 2000 and XP are.
deslock @ Jul 18th 2007 7:19AM
>XP 2000 and XP
Should read Win 2000 and XP (obviously)
Andy @ Jul 18th 2007 7:19AM
FWIW the market share argument is bullsh*t. Mac OS 9 had fewer users then OS X currently does, and yet it had no shortage of viruses.
strider_mt2k @ Jul 18th 2007 7:21AM
See?
With advances like these, soon both OSs will suck equally!
It's the future people!
bob e @ Jul 18th 2007 7:54AM
One day we will read the headline:
"BIG MAC ATTACK"
and it won't refer to McDonalds!
I'll keep my Vista Ultimate thank you!
fred @ Jul 18th 2007 8:12AM
Holy Crap! That's the first time I've heard that. I'll keep my Vista Ultimate? Yeah, you'll pretty much have to since you probably had to take out a second mortgage to buy it. I know that the shiny glow of Bill Gates' autograph on the box keeps you warm at night, but remember to thank Apple for all the innovation in that "Ultimate" OS. I hope your kidding.
Asmeroth @ Jul 18th 2007 9:42AM
He's only had to pay ~$250 for operating system upgrades in the past few years. Apple charges about $130-$150 for their yearly upgrades. With another one set to drop soon, there will have been 4 major releases of OS X since XP, so ~$500 vs ~$250 for operating system upgrades. Math is hard.
Christian Martin @ Jul 18th 2007 10:01AM
@ fred
My copy of Ultimate was free. It's a retail copy with a genuine serial number. Not only that, I sold my other free copy (Vista Business) for $160. So far, I'm in the black with no second mortgage. I also upgraded my machine by eBaying the old parts and using the money to fund new components. I broke even, got some nice new stuff and had enough left over to buy my wife a 22" widescreen.
The cost to acquire and run Vista can easily be made negligible. So far I'm in the black with no second mortgage. Use your brain before you spout off.
fred @ Jul 18th 2007 10:40AM
@ Christian and Asmeroth
You guys might need to get your sarcasm detectors checked out, they seem to be broken. I cannot believe that you are falling back on MS's failure to release a new version of Windows for so long as a positive. On my planet we call that grasping at straws. I'm sorry if $359 for a warmed over 5 years late aquafied version of windows doesn't ring my bell, when I've had those features for quite a while on my Mac.
As far as you go Christian, hey I'm glad that you could scrap together the cash to upgrade your box so that you might have a hope of running Vista. Hopefully next time you won't need to auction a kidney to get your widgets...oh I'm sorry I meant "Gadgets".
You have both effectively ignored what I was really talking about here anyway. I was poking fun at Bob's assertion that he'll keep Windows because it's so much more secure than OSX.
Craig @ Jul 18th 2007 10:45AM
how did you get ultimate for free? i gotta say... your story is pretty unbelievable
Richard @ Jul 18th 2007 11:18AM
@fred
How do YOU like your Konfabulator, er... I mean Dashboard?
People who live in glass houses...
byaah @ Jul 18th 2007 11:50AM
Everyone just shut up. It doesn't matter who has what OS, as long as you like what you're working with. Its all a matter of opinion.
For a second, I thought I was reading a blog with an audience of bickering 5 year olds. Grow up.
Miles @ Jul 18th 2007 1:25PM
Richard, and where did Konfabulator steal widgets from?
Oh yeah, Apple's Lisa OS.
Deskapps.
The truth is sure a bitch isn't it Windows lover?
Christian Martin @ Jul 18th 2007 4:39PM
@ fred (again): No, your original point was to show your fandom and bash another OS because it makes you feel like a bigshot. My box ran Vista fine before upgrading, and I still have all my organs. I upgrade out of affinity for tinkering with hardware rather than need.
@ Craig: Truth be told, it was $10. Alternate media kit ordered from MS + serial from trial version given out at launch events = licensed version. There are threads floating around regarding this. If you'd like examples: my Sony 20.1" LCD sold for $320, the 22" Benq wide LCD was $270; 2GB DDR sold for $175, paid $99 for 2GB DDR2; mobo/proc sold for $20, paid $135. I got lucky, but I still came out ahead.
@ byaah: He stole my juice box first.
Fred @ Jul 18th 2007 7:35PM
Well, Chris I'm pretty sure I'm gonna know what I was saying better than you, but whatever. As far as me being a bigshot, it's my enormous man parts that make me feel that way. I'm glad you're happy with Vista, and when you'd like to graduate up to the REAL OSX let me know, smarty. I run a Mac out of a need for a stable machine that works right. But hey good luck to you, friend.
roach @ Jul 18th 2007 8:15PM
I keep my Vista. I had it for 6 months and never did I once ever consider buying an anti virus software.
pkilla @ Jul 24th 2007 12:23PM
How bout you just have both OSX and Vista (on a PC by the way) like I have and call it a day ;)
harpreet @ Jul 18th 2007 8:03AM
gees i just bought my macbook 2 months ago......i wonder if apple asks us to pay 1.99$ to fix this thing like the way how they did with the wifi upgrade
zargon @ Jul 18th 2007 8:15AM
I think the most dangerous thing to OSX's security is the naive notion that the users have; that they are wrapped in this impenetrable security blanket with OSX.
To have users think that they are totally safe and not have to worry about anything is just asking for trouble. No OS is 100% secure and on top of that, throw in the factor of social exploit with naive and ignorant users, you have a recipe for disaster.
To the people saying that market share has nothing to do with it, I will agree and disagree with you. The only reason I will agree is the factor of being the first, like some pointed out. However, that is not always the motive for these people, some are just out looking to reek as much havoc as they possibly can. Which right now means targeting Windows and not OSX.
What it boils down too, people really need to stop feeding this junk to the computer illiterate to stop making them think they are totally safe. It is good practice to be a little careful out there in the jungle that is the internet.
fred @ Jul 18th 2007 8:27AM
Hey, there's no question that there are security holes/exploits etc in OSX. The difference here is that when there is a possible exploit, the first time you typically hear about it is when your run Software Update, and Apple patches it. There are so many people who would love to knock the Mac off of it's pedestal, but I submit that at least some of the people that start of trying to find a way to screw it up, probably become converts in the process...
Anyway, I agree with you, but only to an extent. Users should always be careful what they browse no matter what platform they're on, but OSX is the most secure, and for reasons way beyond "Small Market Share".
zargon @ Jul 18th 2007 10:25AM
I would not say that OSX is the most secure, not by a long shot. I would say that unix, linux and BSD (more so BSD and linux) are the most secure OS's out there.
They run a even tighter security model than OSX, OSX is essentially a sugar coated BSD variant that the model has been changed slightly to make it easier on the user.
BSD and linux are usually patched with in hours of EVERY exploit or other security concern is found. I don't think any other OS out there to date can claim that, which is one major factor that they are the most secure OS's out there.
Of course, like any other OS out there. Their security can be tossed out the window with a user that doesn't practice good security.
fred @ Jul 18th 2007 10:44AM
Allow me to clarify. OSX is the most secure MAINSTREAM OS. I wondered if someone was going to bring that up, but I couldn't edit my comment.
Miles @ Jul 18th 2007 1:31PM
And Linux isn't a mainstream OS?
Even Dell is starting to sell their computers with Linux as an option.
What is the market share on Linux compared to OS X anyways.
Luis Menendez @ Jul 18th 2007 8:45AM
Isn't that what Beta's are for? Of course there are problems with it, that is why it wasn't released last month. Do we have problems with the one we have now, no. I'm sure one worm is not a big deal compared with whatever the counterpart has.
Cameron Campbell @ Jul 18th 2007 9:23AM
In the real world if you have a weapon and you threaten to set it off unless some demands are met or money is paid off no one shrugs and says "that's how the game is played".
John @ Jul 18th 2007 12:31PM
Actually, what's being done here is that the researcher created a new weapon that only works because of a vulnerability in the OS. He isn't going to release a worm that uses it and have it wreak havoc if Apple doesn't pay for it, he's going to publicly disclose the vulnerability. Apple wouldn't be paying for him to not 'attack', so to speak, Apple would be paying to be the first informed of the security hole so that they have the chance to neutralize it before anyone else knows it exists. All that said, it's still conceptually not a very nice thing to do, but at the end of the day, the guy should get paid for his work, and it's quite a long way away from the man who plants a bomb and threatens to set it off unless receiving payment.
Cameron Campbell @ Jul 18th 2007 12:40PM
So he's the guy who knows where the bomb is but wants money to tell people?