“The anonymous researcher who claims to have crafted a [proof-of-concept] Mac OS X worm said today that he (or she) will report his findings to Apple Inc., but added that the Cupertino, Calif.-based company ‘has a very long way to go’ on security,” Gregg Keizer reports for Computerworld.
“Identified only as the researcher behind the Information Security Sell Out blog, the individual on Sunday announced that a still-unpatched bug in mDNSResponder, a component of Apple’s Bonjour automatic network configuring service, could be exploited by a worm,” Keizer reports. “According to the researcher, the worm is fully automated and ready to use.”
“Another researcher, however, questioned whether the anonymous individual crafted the worm in only a few hours, as claimed. ‘Writing the exploit in one day… unlikely for anything other than a stack overflow,’ said Dave Aitel, the chief technology officer at Immunity, Inc.,” Keizer reports.
“Like other researchers who have grown tired of claims that Mac OS X is more secure than rival operating systems, the anonymous individual saved a last shot for Apple. Although he said he will report the newfound vulnerability to Apple at some point, he has no timetable at the moment. ‘I do believe in being responsible and working with vendors,’ he said, ‘but I also feel that some vendors need to be treated like children and learn lessons the hard way. Apple has a very long way to go when dealing with security issues in their products,'” Keizer reports.
Keizer reports, “Apple spokesman Anuj Nayar offered a rebuttal in an e-mailed statement. ‘Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users,’ he said.”
Full article here.
MacDailyNews Take: Treating Apple like a child by acting like one.
Waaa. The little bitch just wants a free iPhone probably…
Poor baby. He’s so hurt that noone will give him any attention so he’ll show us. He’ll post an anonymous, unsubstantiated claim and then vanish again to his games and virtual lifestyle. While we waste our time writing about him
Sounds like someone needs a hug.
The simple fact that it was reported on IDG should tell you all something.
Move along, nothing to see here.
Quote: marty Lets see if Apple will be proactive and supply a security update that will disable mDNSResponder until a patch can be issued.
I suspect not.
Why would Apple do that? There is no virus, or vulnerability in the wild for then to issue such a patch.
Silly discourse, as the discussion attempts to say that there is a master alter of security somewhere. Since we haven’t found cures for all of our diseases, disorders, ailments, etc, it seems likaly that there’s a world somewhere without any software security vulnerability. This is especially the case where software is always a moving target, with new code coming out daily.
Never-the-less, the real issue is what fear it generates in the community, and the real-world affect of these vulnerabilties. In that case, no matter what one says about Mac security, it’s simply a safer plateform to invest in. Simple as that.
Someday everyone will be famous for 15 nanoseconds
Where’s Ellch? Where’s Maynor?
I love it! Someone mentions OS X security, and some of you can’t help but bring Windows and Microsoft into the picture! Why?! This article and researcher had nothing to do with Microsoft. But of course, you guys always feel it necessary to bring Microsoft into the discussion. I really don’t know why: maybe because you sense that Microsoft is in fact the superior company. But I could be wrong.
“Mac OS X worm…” –> “Yeah, but look how many viruses there are for Windows!”
“Leopard has 10 new features” –> “Looks like Vista sucks now! Oh wait, it always did!”
“New iPod coming in August” –> “And when’s that new Zune that can’t beat a 3rd-gen iPod coming out?!”
Silly fanboys.
If the guy publishes the code or how to generate it and someone uses it maliciously, then the guy will be liable for the damages caused as a result. Especially if he does not submit the method to Apple before something happens. Threatening Apple by saying he will release the worm or method is tantamont to blackmail.
I hope they sue his arse if he does that.
I have created an iPhone/Mac/Apple II+ worm! But I am anonymous. And I won’t work with Apple to fix it (mostly because I haven’t really created one but want to sound like I am actually relevant to the homosapien food chain).
This worm can do all sorts of great things! It can infiltrate your TV via your Mac or iPhone and lock your TV stations so that you can only view porn. It will also change all your stereo’s FM presets to easy listening stations. As an added bonus, any electrical sex toys will operate at twice the speed. (If I had written the Worm for Windows, the toy would have blue screened and died requiring a 10 minute restart.)
I agree with DogGone
If the guy publishes the code, or how to generate, he should be hit with a lawsuit. He should then be prosecuted under the appropriate federal statutes that cover enabling network denials of service. The penalties are quite severe — and undertaking what amounts to attempted extortion (take “appropriate security measures, or I will release the information”) is a serious offense.
The more this stuff is tolerated, the worse network security problems become.
Bah. If this were real, this guy would be the star of the upcoming BlackHat convention, not trying to hide anonymously.
I’ll believe it when I see it.
While I agree with what has been said about this being only a proof of concept and all that, folks with Apple becoming so much in the public eye it is a matter of time when we have to really start worring about it. And let’s face facts, Apple focuses on the user, so there are some logistal things that make OSX more secure.
However, we should never rest on our laurels and make sure we, even us Mac geeks, practice good security.
I highly reccomend going to http://www.opendoor.com as Alan and his team are the ONLY real source for all things Mac security.
Peace
Agreed!
Some guy says he figured out all kinds of horrible, no good, rotten ways to exploit the OS X but he’s not gonna tell us who he is, what he did exactly or how he did it, much less so us a working version of the “virus.” Yeah, this is gonna open the floodgates now. We might even have another “proof-of-concept” next quarter.
I’m scared. Can I have a beer now? Anyone got any cheese doodles?
Okay, back to work on my never-once-infected Mac!
While any security threat should be taken seriously, I suspect that affecting “mDNSResponder, a component of Apple’s Bonjour automatic network configuring service” is going to limit it right off to local subnets. That is, corporate and academic institutions could experiance an inside attack from a machine currently on the network. Few have to worry about broader Internet based attacks since Bonjour doesn’t work beyond the local group.
“Also, if it is real it would have to be some sort of heap based overflow since stack buffer overflows have been mostly eliminated due to the NX bit in Intels Hardware.”
I wasn’t aware that Mac OS X makes use of the Hardware No-Execute functionality in Intel processors. This support is relatively new in Windows and Microsoft has been phasing it in slowly (XP SP2 only enables NX on Windows system components by default) because it breaks some programs that are designed in a sloppy way.
Anyone know for sure if Apple is even enabling NX?
@Ryan – Yes, ever since OS X 10.4.4 (the first Intel release).
ZOMG! HAX0RS!
Chicken or the egg?
With this “worm”, you can infect a Mac on a local area network if your Mac is already infected. How’d your Mac get infected? You had to install the malware deliberately!
<sarcasm>Yeah, the Mac is insecure. </sarcasm>
Quote “‘I do believe in being responsible and working with vendors,’ he said, ‘but I also feel that some vendors need to be treated like children and learn lessons the hard way. Apple has a very long way to go when dealing with security issues in their products,'”
This from “The anonymous researcher who claims to have crafted a [proof-of-concept] Mac OS X worm”
As we on this forum are aware, it’s easy to be smug when speaking anonymously.
— go back to your worm farm Poindexter–
My IT department has been devoting all their time the last few days to a recent Windows virus break out while I work unaffected on my Mac.
Don’t you think a hacker with bad intentions would have released an OS X virus by now instead of someone with good intentions claiming to have a proof of concept be the only threat?
Give me a break. Let’s get back to covering real Mac news.
Think about it… the hacker who refused to be named, claims he is being compensated by someone to create this exploit. IF this is true, then he has undermined the value of what he has created for them by announcing it publicly and pointing to the vulnerable application.
Does that sound like a smart person who wants to be compensated for his work in the future… or someone who isn’t telling the truth?
Merely be admitting that he has created malicious software (he claims he has “weaponized it”), he admits he is in violation of several federal felony statutes. By stating that he has done this at the behest of a third party he admits he has done so as part of a conspiracy… also a felony.
MDN magic word… “several”
Apple has a very long way to go when dealing with security issues in their products,'” Keizer reports.
Then why is OSX the only OS that has no viruses, spyware, or malware smarty pants? Because Apple does have the best security that’s why. Microsoft has a long way to go when dealing with security issues as it has been proven millions of times over when millions ended up getting infected and the stupid corporations that keep buying PC’s lose millions of dollars as they have to rebuild all of there corporate PC’s time and time again.
Your supposed concept proves absolutely NOTHING! As always I’m sure someone will find out what you did and as always it will be some kind of cheat that needs to be done on the Mac only or with all security turned off which on a Mac is almost impossible to do. You ranting like a child proves nothing about Apple’s security but Apple’s security record proves everything. It rains supreme as the most secure OS on the planet period!