updated 11:15 am EST, Fri February 17, 2006
Second Mac OS X worm
Yet another concept worm for Mac OS X has emerged, confirming that the platform is vulnerable to malware--despite the reluctance of many users to acknowledge potential security issues in Mac OS X. The new Java-based concept worm that will soon expire was discovered by F-Secure; it exploits a Bluetooth vulnerability in older versions of Mac OS X Tiger. Although Apple has since corrected the problem in the latest releases of Mac OS X 10.4 Tiger, some users have chosen not to upgrade or many have not yet upgraded, thus allowing previously discovered and addressed exploits to be leveraged by malware. MacSecurityNews reports that OSX/Inqtana.A tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333. Users are urged to update to the latest version of Apple's OS X operating system (Mac OS X 10.4.5 was released earlier this week). This is the second worm for the Mac OS X platform, as earlier this week reports of the first worm for Mac OS X prompted a response from most major security vendors and some attention from Apple. [updated]
Apple provided a fix for the Bluetooth vulnerability for Mac OS X 10.3.x and Mac OS X 10.4.x in June of 2005.
"If you are using OS X 10.4 make sure that you have latest security patches installed and you are safe from Inqtana.A and any future worm that tries to use same exploit. Inqtana.A has not been met in the wild and it uses Bluetooth library that is locked into specific Bluetooth address and the library expires on 24. February 2006. So it is quite unlikely that Inqtana.A would be any kind of threat," according to MacSecurityNews.
The Inqtana.A worm spreads using an OBEX Push request, requiring user to accept the data transfer. Upon completion, Inqtana.A uses directory traversal exploit to copy its files so that it starts automatically on next reboot. The F-Secure site has also posted instructions on removing the worm from an infected system.