Mac OS X Lion: Losing its security pride

By George V. Hulme, CSO |  Security, Apple, Mac OS X

The past couple of weeks have not been the best for Mac OS X's security reputation.

Recently, anti-virus firm F-Secure detailed a Trojan dropper that will insert a backdoor onto targeted systems. During the attack, a PDF is forcibly opened, designed to distract the end user from the shenanigans going on in the background.

According to F-Secure, the PDF file is written in Chinese, and is politically inflammatory. While the PDF launches, malware is dropped after it downloaded from a remote server located in Russia.

This week, Mac security software maker Intego said it discovered a new, albeit low risk, Trojan that pretends to be an Adobe Flash player installer. According to Intego, users visiting certain malicious websites may see a link or an icon to download and install Flash Player. Since Mac OS X Lion does not include Flash Player, some users may be fooled and think this is a real installation link, Intego said in an advisory.

It's those users that keep their standard system settings that are at the greatest risk, Intego says. Because the Safari browser is set to consider installer packages as safe (those files with a .phg or .mpky extension) it will automatically launch after download if their settings aren't changed from the default. Intego advises users remove those settings.

If the Trojan and malware are installed, according to the vendor's analysis, it will then attempt to shut down certain network security software and delete its own installation package. It will then install attack code that enables it to inject code into the applications the user launches. Intego says it will release more information about the code the Trojan inserts after it has completed its analysis.

In another recent scratch on OS X Lion's security luster, security researcher Patrick Dunstan posted on the Defense in Depth site about how OS X Lion's passwords can be maliciously changed. This is made possible, according to Dunstan, because Lion enables non-root users to view password hashes by extracting the data directly from Directory Services. That could be scary enough, but unfortunately, according to Dunstan's research, Directory Services in Lion doesn't require user authentication when performing a password change: which makes it easier for attackers to change passwords for you.

Does such security design missteps and a recent bump in OS X attack software mean OS X users need brace for a wave of fresh attacks and exploit code?


Originally published on CSO |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness