troubleshooting/tutorials/security
07/02/2006, 2:05pm, EDT
Sunday, July 2nd
Symantec warns of new OS X trojan horse
Symantec on Friday issued an alert warning Mac OS X users of a new Trojan horse that looks to patch the recently described (and patched) Launchd vulnerability, which could provide root access on Macs running Mac OS X 10.4.6 or earlier. Security Focus adds that a successful attack may crash the application or lead to arbitrary code execution. Symantec's alert notes a that OSX.Exploit.Launchd is a Trojan horse that exploits the Mac OS X LaunchD Local Format String Vulnerability, which was described only after Apple patched its OS earlier this week. The flaw was patched in Apple's security in the Mac OS X 10.4.7 update issued earlier this week by Apple. Separately, Apple re-released its Mac OS X 10.4.7 update for Intel-based Macs to address some missing OpenGL files in the initial version of the update.
Filed under: troubleshooting
,
, 18
,
,
,
,
,
,

subscribe to comments
for this article
When OSX.Exploit.Launchd is executed, it performs the following actions:
1. Exploits the Apple Mac OS X LaunchD Local Format String Vulnerability (as described in Security Focus BID 18724) which may elevate the privileges of a remote attacker's local account on an Apple Mac OS X computer.
Wait a sec.... MAY elevate the privileges of a remote attacker's LOCAL ACCOUNT?
So how is some evil hacker going to get a LOCAL ACCOUNT on my Mac? Sounds kinda like that stuff we heard of a while back where some guy challenged anyone to hack his Mac.... but first gave them a local account to play in.
Nudge me when I'm really threatened.
I guess now my locksmith and security company would like to sell me more products becuse I could be harmed or robbed by somebody that I invite into my house and give a key.
Now I realize it is a threat of some degree becuse you don't want users getting more permissions than you have assigned but come on this is nowhere near a major deal. The first rule of security is don't grant access to people you don't trust.
It's a nice theory that you shouldn't give access to people you don't trust, but sometimes you have to.
http://www.macfixit.com/article.php?story=20060630141843699
So how is some evil hacker going to get a LOCAL ACCOUNT on my Mac? Sounds kinda like that stuff we heard of a while back where some guy challenged anyone to hack his Mac.... but first gave them a local account to play in.
That's right. Since it doesn't affect YOU, then its a non-story. I guess what you're saying is that no macs are in any type of enterprise or multi-user environment?
Oh, and did you notice that this was called a Trojan Horse? A trojan horse is an app that looks like an innocuous program that actually has an "evil" payload. As such, if they can get you to run the program (not an incredibly hard effort), they can screw with launchd, have your local account's permission escalated, thus allowing THE PROGRAM to then issue commands under the escalated accounts.
Oh, and remember that because the bug causes an escalation, depending on the activity, no admin password is prompted to install other software/kexts on your system.
But, I forgot, this is the Mac OS. We're perfectly safe. All Mac users are 1000 times more intelligent then other computer users, so there's no way they'd be stupid enough to install a virus or run Trojan.app. We don't have to worry about anything!
Well then those idiots deserve to be hacked. Not installing security updates is your own blunder. Not Apple's problem.
And you louzer, are a friggin idiot. How come morons like louzer or testudo only post here and don't have the balls to face a real discussion in the forums?
While this isn't much of a threat now, it could have been given that a hacker used it on an account that didn't have a password.
It would be a matter of finding the account names and finding at least one that didn't have a password. Meaning local access doesn't necissarly mean they've had access to the computer before.
OS X isn't going to be virus free forever. Its just that up until now, no one's really cared to make viruses for OS X. Thats slowly starting to change.
And sure, it wasn't really released, but just imagine if it was. How about people that have an account that doesn't have a password on thier computer. Not because they're idiots, or anything, they just don't have one, like an account for the kids, or for troubleshooting, or as an account for visitors. There you go, theres the problem. One account without a password, and all you need then is the person to be running OS X 10.4.6, and the virus on it, and boom, admin privalages.
The point is, OS X isn't going to be immune to viruses forever, its when the hackers start writing the viruses and releasing them to the wild is when that's going to end.
The problem is there is no such "trojan" in the wild, nor has anyone's machine been exploited. In fact, Symantec's "discovery" of this vulnerability only came about because Apple released Mac OS X 10.4.7, which precludes the exploit by patching the Mac OS X launchd process."
Thank you macfixit.com for some actually useful information.