[Ti] Re: Titanium Digest, Vol 18, Issue 23

r3solve r3solve at gmail.com
Sun Feb 26 14:03:10 PST 2006 

>Message: 6
>Date: Sun, 26 Feb 2006 10:46:12 -0600
>From: Chris Olson <chris.olson at astcomm.net>
>Subject: Re: [OT] [Ti] Intel Mac Mini? now Security
>To: "A place to discuss Apple's Titanium computers."
>	<titanium at listserver.themacintoshguy.com>
>Message-ID: <2E48DC3B-92F2-49CD-8B39-DCCBFBBFAB2B at astcomm.net>
>Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>
>On Feb 26, 2006, at 8:16 AM, Tarik Bilgin wrote:
>
>  
>
>>Chris I grant you that OS X is now seeing the kind of "battle  
>>hardening" that Windows has seen over the last 10 years. But for me  
>>at least, the discovery of some trojans and worms possible in OS X  
>>does not mean the sky is falling, but that yes sadly there are bugs  
>>in OS X.
>>    
>>
>
>I don't believe I said the sky is falling.  Just that Mac OS X is  
>just as exploitable as Windows.
>
>  
>
>>When I do a default install of OS X, I am running as a user with  
>>the potential to have administrator level privileges but my  
>>password is validated before making any major change like  
>>installing software.
>>    
>>
>
>This is a common misconception.  Your demo of our fully-developed  
>exploit is on its way to you via private email, and I think some  
>things should be pointed out, for the benefit of others running OS X  
>as well:
>
>1.)  If you're an admin user on OS X (meaning you can authenticate to  
>install root-level software), you are at greater danger.  The reason  
>is because you belong to the BSD admin group.  This means you have  
>read/write access to root level directories, WITHOUT having to  
>authenticate.
>
>2.)  Mac OS X's software bundles are self-contained.  Inside the  
>bundle they contain their own libraries, etc..  This means a hacker  
>does NOT have to have root level access to run arbitrary code on your  
>system because software on Mac OS X can be run directly from a Disk  
>Image, or anywhere in your user account.
>
>3.)  To fully realize the extend of what can be done, take a good  
>look at the demo I sent you.  You'll see that you CAN NOT see the  
>actual program that does the damage in Finder, aka the proof-of- 
>concept demos on the web.  I dropped a trojan (a program) into your  
>user account without you even knowing it.  I can set cron jobs to run  
>it at arbitrary times, I can add it to your login items and keep it  
>hidden, or any number of things.  And you'll never find it short of  
>dropping to the Unix command line, and then you'll have to know what  
>you're looking for.
>
>4.)  In light of the above, I can install hidden key loggers, network  
>sniffers, or any number of malicious programs into your user account,  
>run them under your user privileges, have the program open a back  
>door (from inside your firewall), and retrieve your administrator  
>password.  Bingo - I got root on your computer.  The rest is history.
>  
>
Chris, what do you suggest we do to prevent an attack like this from 
happening?

More information about the Titanium mailing list