Tag Archive for 'OSX'

Nov 03

OSX Trojan

in In Internet, Internet, Security and System. Comment Printable version Printable version

The fact is sufficiently rare to be mentionned. A “trojan” for OSX (Leopard included) is in the wild. It work by asking the user to download a codec to see a video (I let you guess what type of video it can be :) ). It look like something like that on the web page:

“Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”

When the user click a .dmg is downloaded and the user is asked to give the administrator password (Nobody use the admin account as is every day account right ? :) ). Instead of installing the promised codec, it changes the default DNS. Hence when you ask for a web site, the new DNS redirect you to a fake site… Of course the user should be aware that something is wrong because the admin password is asked but I have a little doubt here… Of course the dns will not redirect every site to fake one.

The advisory can be found here: Intego Security Memo

A good idea would be to deny the fake DNS in firewall however I haven’t found it. If anyone knows it, it could be useful. It also could be nice to check which site are redirected.

Oct 30

Mac OS X Leopard (10.5) security: firewall analysis

in In Publications, Security and System. Comment Printable version Printable version

Leopard should have introduced 11 new security features, among them the firewall should have been re-worked.

However as pointed in the leopard security firewall analysis by heise Security

It appears that there is still some problems with the firewall. For me the three keys point that Apple should fixe are :

  1. Firewall need to be enable by defauflt. Better safe than sorry is the key to security. Since most people does not run network service it should not be a big deal any way.
  2. When you ask for “Block all incoming connections” it should be apply to any protocol not TCP. For instance this policy does not apply to NTP query (UDP) or even Netbios announce (UDP) … That is totally lame. Note that you can activate UDP filtering in the advanced setting.
  3. The last requirement is more arguable but still it deserves attention: Why do you have network service running by default ?

The combination of theses problems can lead to serious flaw for example : the NTP (Network Time protocol) shipped with Leopard is not the lastest (4.2.2 instead of 4.2.4). Imagine there is a flaw in it. Well with the firewall you should be enough safe to have the time to patch. But wait a minute, no you aren’t because the firewall is not activated! Even if you activate it and ask to “Block all incoming connections”, because NTP is a UDP protocol… Of course is you go to the firewall advanced setting you can block UDP traffic but what about the legendary OS X simplicity ?