Focus on Apple
Mac Trojan Nov 01 2007 12:26PM
David Harley (david a harley gmail com) (1 replies)
Re: Mac Trojan Nov 01 2007 06:45PM
Dave Schroeder (das doit wisc edu) (2 replies)
Re: Mac Trojan Nov 01 2007 08:34PM
David Fedoruk (david fedoruk gmail com) (1 replies)
RE: Mac Trojan Nov 06 2007 06:41PM
Todd Woodward (todd_woodward symantec com) (1 replies)
RE: Mac Trojan Nov 06 2007 08:07PM
Paul Schmehl (pauls utdallas edu) (1 replies)
Re: Mac Trojan Nov 06 2007 09:10PM
Philippe Devallois (phdevallois intego com) (3 replies)
Mac OS X Security and Common Sense Nov 07 2007 07:03PM
Todd Woodward (todd_woodward symantec com) (2 replies)
RE: Mac OS X Security and Common Sense Nov 07 2007 07:57PM
David Harley (david a harley gmail com) (1 replies)
Re: Mac OS X Security and Common Sense Nov 07 2007 08:28PM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr) (1 replies)
RE: Mac OS X Security and Common Sense Nov 11 2007 04:09PM
David Harley (david a harley gmail com) (1 replies)
Re: Mac OS X Security and Common Sense Nov 11 2007 05:32PM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr) (2 replies)
Re: Mac OS X Security and Common Sense Nov 12 2007 04:52PM
Paul Schmehl (pauls utdallas edu) (1 replies)
RE: Mac OS X Security and Common Sense Nov 13 2007 04:12PM
Thor \(Hammer of God\) (thor hammerofgod com)
RE: Mac OS X Security and Common Sense Nov 11 2007 07:33PM
David Harley (david a harley gmail com) (1 replies)
Re: Mac OS X Security and Common Sense Nov 11 2007 09:01PM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr) (1 replies)
RE: Mac OS X Security and Common Sense Nov 12 2007 09:43AM
David Harley (david a harley gmail com)
Re: Mac OS X Security and Common Sense Nov 07 2007 07:30PM
Paul Schmehl (pauls utdallas edu)
Re: Mac Trojan Nov 07 2007 04:33PM
Kevin Long (kevin long verizonbusiness com) (3 replies)
Re: Mac Trojan Nov 14 2007 01:32PM
Dave Piscitello (dave corecom com) (1 replies)
Re: Mac Trojan and Last Security Update Nov 15 2007 03:03PM
Philippe Devallois (phdevallois intego com) (1 replies)
RE: Mac Trojan and Last Security Update Nov 15 2007 08:01PM
David Harley (david a harley gmail com)
Re: Mac Trojan Nov 07 2007 05:35PM
Paul Schmehl (pauls utdallas edu)
Re: Mac Trojan Nov 07 2007 05:31PM
Radoslav Dejanoviæ (radoslav dejanovic opsus hr)
RE: Mac Trojan [and a proposed book] Nov 07 2007 11:59AM
David Harley (david a harley gmail com)
Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 07:11PM
Roland Dobbins (rdobbins cisco com) (6 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 10:33PM
Thor \(Hammer of God\) (thor hammerofgod com) (1 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 09:08PM
John Ladwig (John Ladwig csu mnscu edu)
Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 08:13PM
John Ladwig (John Ladwig csu mnscu edu)
Re: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 07:31PM
Edward R. Marczak (marczak radiotope com) (1 replies)
Re: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 02 2007 01:35AM
Roland Dobbins (rdobbins cisco com)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 07:29PM
Todd Woodward (todd_woodward symantec com) (1 replies)
Re: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 07:45PM
Edward R. Marczak (marczak radiotope com) (1 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 08:05PM
Todd Woodward (todd_woodward symantec com) (1 replies)
Re: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 09:14PM
Edward R. Marczak (marczak radiotope com) (1 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 04 2007 09:25PM
Thor \(Hammer of God\) (thor hammerofgod com) (3 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 05 2007 03:24PM
Paul Schmehl (pauls utdallas edu) (2 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 05 2007 07:26PM
Chris Pepper (pepper reppep com)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 05 2007 06:14PM
Jeramey Valley (ValleyJR mps k12 mi us) (1 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 05 2007 07:25PM
Paul Schmehl (pauls utdallas edu) (1 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 05 2007 11:39PM
Thor \(Hammer of God\) (thor hammerofgod com) (1 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 05 2007 08:14PM
Jeramey Valley (ValleyJR mps k12 mi us) (1 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 06 2007 01:09AM
Thor \(Hammer of God\) (thor hammerofgod com) (2 replies)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 06 2007 05:59PM
Paul Schmehl (pauls utdallas edu)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 06 2007 12:13PM
Jeramey Valley (ValleyJR mps k12 mi us)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 04 2007 11:25PM
Thor \(Hammer of God\) (thor hammerofgod com)
RE: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 04 2007 08:29PM
Todd Woodward (todd_woodward symantec com)
Re: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 07:22PM
Dave Schroeder (das doit wisc edu)

On Nov 1, 2007, at 2:11 PM, Roland Dobbins wrote:

>
> On Nov 2, 2007, at 1:45 AM, Dave Schroeder wrote:
>
>> But it's a Trojan, which requires user interaction, downloading
>> something manually, and expressly granting it administrative
>> privileges to your machine.
>
> This brings up an interesting point - how many Mac users go to the
> trouble of setting up a nonprivileged account and then do their
> normal work under that? I don't know, but my guess is that it's a
> pretty low percentage, especially as, at least with Tiger, one runs
> into some issues such as borked /Applications perms/ownership which
> require a *NIX background to even understand, much less remedy.

Even if users did set up a non-admin account, they'd still be prompted
for admin access just the same...there is no distinction in this
trojan's behavior, or the results, whether it's run under and admin or
non-admin account. If they're prompted for admin access and give it,
the game is over.

> How many Mac users have been faced with a seemingly-random request
> to grant a non-obvious background app/utility Keychain access, not
> to mention commonly-used apps asking for it without an easily-
> discerned reason? And in such situation, what do they typically
> tend to do (I've my own opinion about this, but clue welcomed).

I think the answer is the same for Mac users as it is for Windows, as
majority desktop platform: they'll grant the request. And if it's
something that will cause the system harm, the damage is done (or has
just begun). The point is that the really interesting, damaging, and
massive problems in recent memory have been exploits that have spread
in an automated fashion with little or no user interaction.

Trojans that require manual interaction and expressly granting them
root-equivalent privileges and which aren't taking advantage of any
bug/vulnerability/etc. in the OS, no matter how nifty or crafty they
might be, are really completely uninteresting to me, on Mac OS X or
any other platform. I don't care if it's "targeting" Mac OS X: this is
nothing new! Why do people act like it's the first time every time we
encounter the next piece of Mac OS X malware, with sensationalist
proclamations that "skilled" "hackers" are "targeting" Mac OS X? So
what? They've been "targeting" it for years. Or are they targeting it
"more" now?

The problem isn't the discussion that happens on lists like this. The
problem is that a relatively low-impact, low-danger, manifestly boring
and uninteresting "trojan" will now be covered as if the sky is
falling on the Mac platform far and wide in the press, including some
mainstream press (watch: I wouldn't be surprised if the likes of AP or
CNN picked this up DAYS later). And then, millions of more people are
casually exposed to news that they can't parse the nuance of, and are
left with the impression that Mac OS X is "insecure".

I'm not quite sure what purpose that serves...the coverage of Mac OS X
malware is still largely sensationalistic, and not much more.

- Dave0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?>0?ô0?] DM0
 *?H?÷
0S1 0 UUS10U
Equifax Secure Inc.1&0$UEquifax Secure eBusiness CA-10
050829160720Z
150829160720Z0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0?0
 *?H?÷
0?èHQÜ%wË ktëùNßM}V?ïȶÂ#¹.³S*?¥I|R±%ö3?~?cëG:!+·Ä? ÇL$ò­©«
8)?¿.Æ01qL|?I?¿Öm²\×[¼'¯íG̪»´V ?ëùçe><|¯÷?°
æp;?Ã??£?0?0Uÿ?0U?RRbG,k,¸iñ©7,#$0U
#0?Jx2RÛY6^ßÁ6@jG|L¡0Uÿ0ÿ09U2000. , *?(http://cr
l.geotrust.com/crls/ebizca1.crl0
 *?H?÷
%ñDX3wç֍ת· ?7kæÞßµ±z°c_?+åLÓPpGOsÉ>ف¬ÐDÓ±Ü-++?ü}£Z?? d£Áù'öTï¡*)ÿw~G²?¨ø
Oµö¬U~ºbSJh,óN¨GTaßs\ÇDØéR#êeb¨Åg0?B0?« ?0
 *?H?÷
0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison0
070724175606Z
080920175606Z0Ð1 0 UUS10U Wisconsin10UMadison1(0&U
University of Wisconsin-Madison1#0!U Faculty - Staff - Students10U Token -10UDavid Schroeder1 0 *?H?÷
 das (at) doit.wisc (dot) edu0 [email concealed]?0
 *?H?÷
0????èöÆ?³G¡J[ ¨×
Qò?sJ?'Uî.øë
ÂC«ÓmÂ?5(¢?äðÛ¢1?Hµ8iä¬C°«é£ Ê¢4ÝsR|F?Sû?©¶2±ï?Æ?´zó?¬ÿPïí?ð?ÖÜ5àò?ݐ?ÕÍnæ?y
>ªÛ% ?ä¹£p0n0Uÿà0;U40200 . ,?*http://crl.geotrust.com/cr
ls/wisconsin.crl0U#0??RRbG,k,¸iñ©7,#$0
 *?H?÷
ß¢úx IíN®?t ý¼¬Åƪ¡ q ?Þ¦`,]H?)u?Há?tm³°é¥¾0ñÊOV6¾Ô?
&@v?@¯IÿßO=?~ÿuC"i?Â?N??0ÔÉ® G¥ªÙ»rs5ì#¯P?ÑËpÍX¯âô³©ÖÙ?Ðz?YuVC?ö?1?â0?Þ00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0 + ?§0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
071101192248Z0# *?H?÷
 18æi¶ê& m@Cò
ý2Î"îbwÖ0¡ +?71?00?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0£ *?H?÷
  1? 0?1 0 UUS1+0)U
"Division of Information Technology1#0!U Faculty - Staff - Students1(0&UUniversity of Wisconsin-Madison?0
 *?H?÷
?tÉÅïý¯ä#? æ1Êy
lßÒçµWÑ?©è]tì¶9î?¾ce³?\DÂ4Õ|N1Ý¥K¿yã¶<£Ò¿&¯h·ÊòúFt./pB<Ê!3¶H?c>×W'P
°;&%u@"¯Óº¾È?;¥¼Båè_)drQ?e&v^
¦áD±

[ reply ]
Re: Privileged vs. non-privileged? (was Re: Mac Trojan) Nov 01 2007 07:16PM
Jason Pruim (japruim raoset com)


 

Privacy Statement
Copyright 2010, SecurityFocus