About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Home » Learning Curve » Red Hat Diaries

Wormtongues

Feedback on the Hackers Handbook series.


Buy It

Try It

There's been reaction to the start of the Hackers Handbook already. Some of it's expectedly dismissive ('we are the most secure operating system in the universe') but some of it - eg at Mac4Ever - raises good points.

Breaking the Chain

'I find the issue of the virus is more and more recurring', writes Rompod. 'I don't know what's reality but I am beginning more and more to be on my guard against these new tricks.'

'But they say it because it is true', writes Fuzzi. 'To be able to propagate a virus needs a good base install of machines for the Windows viruses, I mean the real ones which can propagate and which arrive have to send copies of themselves to other machines without needing permissions. It's enough that only one machine is Mac or a Linux PC and the chain is broken. So worms won't be propagating quickly tomorrow on Linux or the Mac. Whereas Windows with its superb park of installed machines is a privileged target.'

And that's true - sort of: on 5 May 2000 when the Love Bug whacked the world almost all personal computers ran Windows and the great majority of them ran Outlook as well.

But not all were running Windows and far from all Windows users had Outlook installed - and yet the Love Bug did a good job of propagation anyway. As the Love Bug propagated itself to up to fifty new machines for each corrupted machine things built up rapidly, no matter a few 'chains' were 'broken'.

It comes down to the percentages. With a 95% demographic only a few machines won't be affected; ceteris paribus and with a 5% demographic only a few machines will be affected. It all comes down to how tightly knit the 'Mac community' is. What's the percentage of OS X users in the typical OS X address book? That's the critical issue.

As Charlie Miller said, it's going to take a bigger demographic for this to get interesting, for the worm authors to see a point in it. Currently they're working with a market demographic of 95% and that gives them a good saturation and good reason to keep concentrating on Windows to the exclusion of OS X.

But as #1) Apple are currently outselling PC OEMs; and #2) it's relatively simple to create an OS X worm things will change rapidly when the market reaches that tipping point.

VD

VD is a bit troubled. 'I don't understand anything', he writes. 'Disk Utility reads the files in /Library/Receipts to determine the correct permissions. Thus if I am an admin I can indeed corrupt file permissions by putting tricks in /Library/Receipts. But if I am an admin I can also type 'sudo chmod' and enter my password to corrupt file permissions. Thus I wouldn't call this a security flaw.'

Poor VD's a bit confused: he forgets that in the one case he needs the password and fortuitously has it whilst in the other case the worm doesn't have the password and thanks to Apple doesn't need it either.

Arnaud

Arnaud de Brescia sails out into dangerous waters.

'Why do we get these trolls when it comes to OS X security? I tested all the POCs available at the MOAB site on OS X 10.4.10 with QuickTime 7.2 and the Security Update 2007-007 - and my system's invulnerable to all of them!'

If CVEs are not fixed by Apple and still open then there are security holes. de Brescia simply lacks the chops to see them. As regards MOAB #15 it's definitely wide open. MOAB #15 also has its CVE, has recently again 'encore une fois' been recognised by Apple as being 'a known issue', and very much will own any OS X 10.4.10 QuickTime 7.2 Security Update 2007-007 system out there today.

Perhaps part of the task of assessing the efficacy of the MOAB exploits is grasping the point behind them. You can't just run one and expect your computer to explode like a ginormous firework.

See Also
The Hackers Handbook — Foreword

About | Buy | Forum | Industry Watch | Learning Curve | Products | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.