|Home » Learning Curve
Here's what you need to do to harden your system regardless of OS X version.
Q: Why do I need to do this?
A: Because /Library contains directories and files that are recognised by the system starter. The system starter runs as 'root' and any code it invokes will run as root as well. Rogue code can be placed in /Library to overtake your system.
The system looks for code to inject into Cocoa applications, code to run on every system start, and code to run on every login and logout. All this code will run as root, and on most systems these directories are not protected.
Q: Is there any evidence that this weakness is already being exploited?
A: Yes. Oompa Loompa used such a weakness and the new version of Opener uses two of them.
Q: Am I already safe on Tiger 10.4.5 with security updates 2006-001 and 2006-002?
A: Evidently not, although results vary. Some Tiger directories are hardened; for others they are not.
Q: Are any versions of OS X completely safe?
Q: Will antivirus software protect me against these attacks?
A: Evidently not. A new version of Opener has been in the wild for nearly two years without the antivirus products being even aware of its existence.
Q: What do I need to do to harden my system against these new attacks?
A: Do the following from a command line. [CLIX users can download here.]
# Don't worry if any of these first three commands fail -
# the important thing is that the directories are created.
sudo chmod 0755 /Library/InputManagers
sudo chmod 0755 /Library/Preferences
sudo chmod 0755 /Library/StartupItems
sudo chown root:admin /Library/InputManagers
sudo chown root:admin /Library/Preferences
sudo chown root:admin /Library/StartupItems
sudo chmod 01775 /Library
sudo chown root:admin /Library
The Other Shoe
Hyde Park Corner I
The Chocolate Tunnel
OS X: Still Not WYSIWYG
Peeking Inside the Chocolate Tunnel
Apple's 'Unix' Runs Arbitrary Code on Boot?
Input Managers — The Cure
OS X patch faces scrutiny
Trojan flaw persists in OS X
Experts Claim Security Flaw Remains
Apple criticised for persistent Trojan flaw