Network News

X My Profile
View More Activity

Exploit Out for Newly-Patched Mac OS X Flaw

Symantec is warning that it has detected a new piece of malware that tries to exploit a flaw in Mac OS X systems that Apple released a patch to fix just two days ago.

"OSX.Exploit.Launchd," exploits a security hole in the "launchD" service, which controls which programs should boot up whenever a user restarts a Mac. According to Symantec, this exploit provides the attacker root access -- or total control -- over any Mac system running OS X version 10.4.6 or earlier. Read Symantec's alert here.

Security vulnerabilities can be difficult to exploit on Mac systems because of the way the operating system was designed: Namely, the default account that the average person uses to browse the Web and use the system does not have full privileges to change system settings. In most cases, even if a Mac user were to accidentally download a piece of malware that tries to take advantage of a flaw in OS X, it would still not have permission to delete files or change system settings, unless the user first provided their password (which in theory should alert that user that something is goign on.)

An attack that leveraged this flaw in launchD, however, would give the attacker full system rights just by convincing the recipient to execute the malicious code (no password needed).

Eric Sites, with Web security firm Sunbelt Software, said the trojan was likely to end up in a mass mailed e-mail worm at some point.

"Once you have root access you can do anything you want to Mac OS or the user's data files," Sites said. That would include the ability to wipe all data from the hard drive, completely reconfigure the system, install a rootkit to maintain control over the system indefinitely, he sadded.

Symantec's write-up is fairly limited at the moment, but the company says it should have more information shortly. The company said its automated Web crawlers spotted the malware, but I wonder if it didn't just pull down a copy of exploit code for this vulnerability that was posted to a popular hacker site just two days ago. At any rate, I will update this post as more information becomes available.

Update: 3:05 p.m. ET: As I suspected, Symantec didn't find anything actually wielding this exploit in the wild, even though it called the thing "a Trojan horse." In an interview just now, the company acknowledged that its sensors were in fact triggered by the exploit code published earlier this week online.

"What this will allow is for malicious code to embed itself deeper into the operating system than may have been possible previously," said Oliver Friedrichs, director of emerging technologies at Symantec Security Response. "But I don't see this turning into the next big Internet worm or anything."

By Brian Krebs  |  June 30, 2006; 12:54 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Apple Issues ITunes Security Update
Next: Microsoft to End Patches for Windows 98 & WinME


Um... "Exploit Out for Newly-Patched Mac OS X Flaw" turns out to be an article about a vaporware Trojan, other misleading stories, and a flaw that has been patched. Shame.

Posted by: Mark | June 30, 2006 3:43 PM | Report abuse

Not only is the "exploit" not in the wild, it was a purposefully crafted proof-of-concept (e.g. not a "hacker" authored malware). IMHO, Symantec is getting desperate about not selling copies of their products for OS X.

Posted by: Bingo45 | July 1, 2006 11:00 AM | Report abuse

Mr. Krebs, you rushed to publish an unverified (and typo-ridden) story. Shame on you. Next time wait two hours for the main subject to return your call.

Posted by: TexasYankee | July 1, 2006 10:33 PM | Report abuse

"Symantec is getting desperate about not selling copies of their products for OS X."

Then Symantec needs to improve their engineering and QE. Norton for Mac OSX has been a joke from the beginning.


Posted by: James | July 3, 2006 11:01 AM | Report abuse

As Brian says in his "About this blog" section: "[T]hink of "Security Fix" as a daily Internet security weather update."

I wish weather forecasters could do so well!

Thanks, Brian, for the overwhelming majority of accurate and timely warnings you have published for more than a year now. I can live with a miscue now and again -- especially when you yourself post a correction hours before your critics come in with their comments.

Posted by: Catawba | July 3, 2006 6:00 PM | Report abuse

Brian did the right thing. Fanboys just don't get it: if the system is insecure, it is insecure. Period. Linux is secure; OS X is not secure.

And as long as the fanboys keep tying C4 to their chests and try to run up and hug Brian Krebs, it will never be secure.

Posted by: Rick | July 4, 2006 9:24 AM | Report abuse

No, Rick, it is not that simple. We "fanboys" -- a pejorative that seems to be used so often and mindlessly that it says more about the name-caller than the intended target -- understand the situation quite well.

The story is simple. A security researcher discovered a vulnerability and reported it to Apple. Apple released a patch for the vulernability. Once the patch was available, the security researcher published a proof of concept of the exploit (presumably to claim credit for his discovery). Symantec discovered the proof of concept and calls it a "Trojan Horse." Nothing is "in the wild." Users who have kept up to date are not vulnerable even if something were in the wild.

There is an inherent conflict of interest for computer security companies in that they want users to be afraid. They keep hyping every threat to promote sales of their software. Needless to say, I don't need to buy anything from Symantec to protect me from something that Apple patched before Symantec made a fuss about it.

Security is not a simple dichotomy. There are various degrees of security. Every system has some vulnerabilities, even Linux.

Brian dutifully reported Symantec's

Posted by: Thor | July 6, 2006 4:57 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company