Scammers have developed a strain of Mac scareware that avoids the need to trick a mark into entering an administrative password. Earlier rogue anti-virus strains, such as MacDefender, need permission to run, a hurdle MacGuard neatly sidesteps. MacGuard works on the premise that home users have administrator rights, meaning they …
Oh don't say that!
"meaning they don't need to enter the administrator password to install software in the Applications folder."
When I pointed this out, a whole bunch of fanbois told me I was wrong.
Send them the link for MacGuard... let them see if they need to enter the password for it to install... ;)
He who laughs last, laughs longest.
I can see a smile appearing on the MS fanbois now :)
They were confused
"Administrator privileges" tends to be synonymous with unfettered access to anything on a computer. A default install of OS X will require a password be entered for a bunch of tasks, such as viewing things stored on the keychain, making changes to certain system preferences and some other things.
However, you're quite right because on a default install, and I'll wager on 99.9% of machines out there, the single user has a tick against 'Allow user to administer this computer' and can write whatever they want to /Applications, whenever they want. Combine that with Safari shipping with 'Open "safe" files after downloading' ticked by default and it's easy to see how this program installs itself, given that archives are considered safe and I guess one of the archive formats doesn't properly guard against absolute paths.
All of the proper, internal paths should be properly locked down by default, so in theory this program shouldn't be able to do anything to stop you from just dragging it to the trash and hence uninstalling it. That said, it should still be a major embarrassment that it can install itself in the first place.
The user has some sort of admin priv by default? Isn't that the reason why XP gets hit by so much crap? Are the Apple devs so stuck in rose-tinted glasses that they didn't look to see that that was one of the big cock-ups of new-gen Windows (i.e. when they took the NT security model and completely rogered it)?
'Open Safe Files'
'Open Safe Files' shouldn't ticked by default anymore - I don't think it has been for quite a few versions of Safari now, not since it was pointed out how obvious a security flaw this could be in the early days of psuedo-Trojans like the Applescript disguised as a JPG or MP3.
This malware STILL requires the user to install it as far as I can see - it doesn't auto-run the installer package.
I've seen the MacDefender and MacGaurd pop-ups appearing a LOT recently when following links from Google's search results en-route to reputable sites. It's the social-engineering aspect which always was, and still is, the weakest link.
The problem with the Administrator account on XP was that it WASN'T the main (single) user account - it was an extra hidden (unless you look for it) default account that always had the same username/password and never prompted the user to set anything to secure it.
@AC: He who laughs last, hasn't understood the punchline or is retarded.
chmod ug-x /Applications
That is all.
Yep. But I do understand why they did it.
The consumer market always makes a the tradeoff between ease of use and security to favor the non-technical consumer. Linux, not being as widely adopted for consumer market general purpose computer, doesn't make the same tradeoff. Because it tends to be used/deployed only by knowledgeable techs, the tradeoff is kept on the security side. I think once you see Linux more broadly adopted by the consumer market, you'll see similar issues there. The technorati will still have relatively secure computers but the masses won't.
I still think Linux is inherently better positioned to be configured securely, it is just that mass market deployments don't support security.
95 and 98 didn't have admin accounts
nt, 2000, and XP did. If you ran the installation disk, you were prompted to set the admin password. The admin password was NOT blank by default - that was a choice made by the manufacturers who shipped pre-configured PCs. Lots, and Lots of Fail there, but not by MS.
Got it on a link and it didnt auto-install
indeed, i got it from a google link yesterday. It did downloaded automaticly without asking but at the install step I got a confirmation pop-up. In fact, nothing can be install on my mac without prompting for the password and I didnt changed any settings regarding security.
Looks so simple
90% of the people who own a Mac OSX based system at home wont have a clue what you just wrote.
I hope not, Tom 13.
"I think once you see Linux more broadly adopted by the consumer market, you'll see similar issues there. The technorati will still have relatively secure computers but the masses won't."
Read the fine print in the article, Tom 13:
"MacGuard works on the premise that home users have administrator rights, meaning they don't need to enter the administrator password to install software in the Applications folder."
Both Linux and MacOS are based on Unix. However, even more user-friendly versions of Linux force their users to _deliberately_ take superuser privileges (such as via sudo) every time they want to do anything administrative. Each time, users have to enter the right password.
Linux distributors assume that people do not need administrator rights 24/7. So there is no easy "Allow user to administer this computer" checkbox that gives users automatic administrative privileges. Nor do I hope there ever is - because the result would be a spit in the eye of the principles of Unix. Neither do I think this checkbox will ever be necessary - sudo is a one line command that is easy to type. (But typing your password should make you think.)
MacGuard-like behavior would affect Linux machines where (a) the only user is root, or (b) a user gave himself administrative privileges by default. But both these behaviors are actively discouraged by any Linux distribution you care to name. And if people do this and get infected, others will reckon "serves the bastard right for being so stupid!"
@AC 14:40 - Wrong.
That is the admin account for system recovery. Can't use that to log in when the system is booted normally.
The install process gives first user account set up admin rights. Subsequent ones will normally be ordinary users unless specifically changed. I always create my own admin account as the first account, and then create additional ordinary accounts for each of the kids for day-to-day use. I never give the kids the password for the admin account I created. I normally install any programs that then need admin rights.
For those awkward programs that have to have admin rights in order to run, I also create a second admin account, which I then fix in the Registry so that you can't log in using it, and tell the kids to use "Runas" with this account for any applications that won't work from their ordinary accounts.
It's not perfect, because you can really run anything with Runas as long as you can find it on the disk. But it meant that I was able to have one of our shared machines virus free for years (also have external firewall to block direct malicious traffic).
I think some of this must have stuck in the kids minds, because now they are older, and have their own systems that they control completely, they often keep using this model, and generally have less problems that their peers.
On Windows 95 and 98,
there was effectively only a single user, with some slight trickery to allow some applications to store their defaults in different places for different 'users'.
All users were effectively administrator accounts, and as Fat16 and Fat32 filesystems did not have any form of security-by-user, the entirety of the system disk was vulnerable to infection by any account logged onto the system.
As a sideline, this last point is exactly why you should never do a WinNT, 2000 or XP install using Fat32 as the filesystem for the system disk, as this negates almost all of the security that segregated privileges provides.
On a side note, on XP and Windows 7 (not done a Vista install), the administrator password that is asked to be set up during install is indeed a hidden account that can only be used when the system is brought up in system recovery mode (or similar). This is intended to be used when the system will not start, or when users forget their own passwords.
By default when using the MS XP install process, the first named user account that is set up will be an administrator account unless changed. If you set up more than one user account during the install, the subsequent ones will be not have administrator rights, by default, but this can be changed.
But there is another point here. Many 'canned' Windows installs (for example, from system recovery disks) will not use the normal XP installation process, so even those users who have restored their system will not have seen this setup process. Only those wearing hair-shirts, and doing everything from lowest common denominator (MS install disks and vendor driver disks) will have seen these accounts being set up. But those of us who have done it this way KNOW that Windows installs are FAR, FAR more painful than some of the other OS offerings out there.
On modern Linuxes
the first account setup is an 'admin' account, but by default this gives them very little additional access to the system. What it does, however, is add them into the "admin" group which is setup so that they can use sudo when required to run commands with enhanced privileges. Thus in normal day-to-day use, the system is safe, and you can just worry about things that fire up the request for the password.
If you set up additional accounts without adding them to the "admin" group, they will not even be able to run sudo or use any of the additional commands that need sudo access to run (like package managers, for example). This makes those user accounts safe even from users who click "yes" to everything. Their personal information is still vulnerable, of course, but they will not be able to touch any of the system files or directories.
I though that OSX was the same, but if there are application directories that can be written to by one of these accounts without needing to use sudo, then it's security is significantly weaker than I thought. I will thus nod to everybody who has been saying that OSX no better than Windows, admitting that I was not totally correct, but point out that it is still better than the all-or-nothing situation in the pre-Vista Windows world.
Apart from the installer prompting you to set the administrator password when you install the OS of course?
I've never worn a hair shirt, but
I have both built systems from the ground up and used system restore disks. Frankly, I cut my teeth IT teeth on Radio Shack PCs left the hobby for a while and then started learning it again with DOS 3.3.
Once MS realized the PR problems they were having because system vendors (and don't get me started on the early broadband providers helpfully setting accounts to auto-login admin users) were bypassing the account password setups they changed the OEM agreements to require the use of abbreviated setup screens where users are required to provide the passwords. So while the end user doesn't see the exact same screens as an OEM installer, they still answer the same questions. You can still enter a blank password, but it is an ACTIVE choice instead of a default.
I'm no MS apologist. Frankly if I had been the judge in the Netscape case they would have lost their shirts for violating their prior consent decree to not tie application sales to their OS, and it is possible some of their lawyers would have been turned over to the bar for ethics violations. But facts are important things and it is therefore important to keep them straight. And all of that is because of the number of times I installed their software for our OEM shop back in the day.
I can personally assure you that if you are on the Welcome Screen, press Ctrl + Alt + Delete, type Administrator and the password set there it works. It is the Local Administrator account, which can be logged in to.
@ AC 13:46
Not on my XP computers. The default admin account has been disabled and renamed and I work off a different admin account I have personally set up.
In other words
There are still a collection of idiots who should be given an Etch-a-sketch and told it is a computer and in order to erase a file, they simply hold it upside down and shake side-to-side (with apologies to Scott Adams).
On Modern linuxes...
They buggered the pooch by disallowing the 'Root' account (now one must go in and finger-f*** the init files to enable a root login.
The prior linux/unix security mode worked perfect, until they started to futz with disallowing root login and forcing sudo. This, IMO is a much greater security hole than they had before. And many of my long-time linux/unix peers agree.
Trying to 'simplify' linux to appeal to mac-lusers and windows-whiners creates a set of problems which never existed before.
could still be blank
It wasn;t until XP SP2 (if slipstreamed) that when installing you were required to enter a password. It did prompt for one, but it was possible to leave it blank with little more than a warning.
There is an Administrator account, yes. It may or may not have a password, yes. But why bother when *by* *default* the user account generated at start-up is given system wide "admin" permissions? I have two accounts on my little machine. The first, "Rick", was created during the initial setup. I can do anything from the get-go. The second, "Internet", that I created, is a limited user and can't do much. Can I run as a limited user all the time? No, for updates and stuff only appear to the priv account (remember, this is XP, I think they finally made this work properly in Win7?). There's more, but it's boring...
So, to the "average" home user: How many would you imagine even realise there are Admin/Limited account options, and understand what the differences are?
Anyway... can't believe this mistake is still being made. <sigh>
and that means
you are already screwed.
Why I avoided Ubuntu like the plague...
And use the upstream Debian instead. Debian has it the other way round: Sudo disabled for all users by default, and a root password is mandatory. Counterintuitive to Win9x users, yes. But I was sold on the idea of safe computing on the very start. Granted that I do log in to the root account from time to time to perform dist-upgrades, but SSH on the box is disabled, and it's behind one helluva tight firewall on a separate dual-homed BSD machine. Tight as in nothing gets in or out- the computers can only connect to the internet via a set of proxy servers (Squid, Socks and RTSP) set up on said firewall.
I also find Debian's sudo disturbing- why does it grant superuser access with just the standard user's login? Asking for the root password (like OpenSuSE's sudo does) is the correct thing to do!
I guess that's the way
the cookie crumbles.
The post is required, and must contain letters.
Your cookie crumbled?
The user still has to approve the install, even if it doesn't require a password.
If you're going to approve the install, then you would have given it your password anyway, because you want to install it, right?
This changes nothing.
why is that different?
Do you think you don't have to press OK in Windws to install something, it just installs by itself? There is always some button but to novice as most of us are it looks like a ligitimate OK. Macs are less secure than Windows generally speaking, they are just not attacked as much. Expect more similar stories in the future.
"There is always some button"
Nope, that the issue, there isn't ALWAYS "some button". Google "drive by installs"
"If you're going to approve the install, then you would have given it your password anyway"
Providing that it's actually your machine and you have the password, that is.
Not with a silent install. I can push pretty much any application I want to a PC on my network and many times the user on the other end will have no idea I've done anything until they restart their computer.
THE REG LIES AGAIN
This so called "story" is a complete fabrication.
Macs are super special awesome and never have viruses. They are soooo much more secure than everything else.
Reg reporters need to learn to be a real reporters and do some research... This is completely false. Nothing, not ever Fort Knox, is more secure than Apple.
Is this sarcasm? irony?
I think the all caps heading means it's a bot doesn't it?
so hard to tell nowadays.
The only reason Macs have 'no' virusses
is that Apple charge the devs a bloody fortune for the license to write them :D
Yes, No, Maybe ...
...press the button to choose.
This changes everything, again.
I can hear a million hearts breaking across the world right now.
Double FAIL.. but not all Apples.
So I was thinking about this trojan recently. Not just the Mac version, but the Windows as well.
Ok, so first we have the actual transmission method of this trojan, which relies on poisoning Google's search results with links to the malware . Google's failure 1.
Then Chrome, Safari and even Firefox (if you have Google's stuff) all have an option to warn about malware. They all are powered using Google's Safe Browsing feature, which keeps a central database of sites found to serve malware, but apparently not this one. So that's failure 2.
Isn't that a lot of failing from Google?
Isn't also Google now pushing out their ChromeOS, which - due to it's design doesn't run apps or let you install anything - is impervious to these type of attacks?
I find the timing very convenient.
so this is Google's fault?
no wonder you post anonymously.
The files are included in torrents, or e-mailed to a user? You seem to be expecting google to administer the whole internet, which is not their job, they offer some tools to warn you about potentially malicious sites, but end users will frequently click through the warning, or - for the obvious reason - Google won't have a warning in place for that particular site.
(Hint: The obvious reason is that it's impossible to make a system 100% impervious without dedicating a disproportionate amount of staff to it, and having that staff never make mistakes. Google's system, I believe, is automated, and needs to be updated to deal with emergent threats, they can't make it too automatically strict as it will make lots of false positives).
The reality distortion field at work
Mac screws up, blame Google!
If I remember correctly from the original article, Safari will auto-open any file it recognises as being "safe", which is part of the problem. Wouldn't you call that a massive fail from Apple?
You missing the main thing here, this particular trojan has to convince users to install it by posing as an antivirus. It can only work (and barely) on the web.
E-mail has no way of knowing the OS, the people behind the malware would have to pick either the Windows or Mac UI in advance. Plus people are much more into e-mail scams, I doubt anyone would believe an e-mail saying they have viruses, it's ridiculous.
@Greg J Preece
I did say in the original title, FAIL but not only Apple.
Apple of course is to blame here with the "safe" file opening, but surely Google being the ones pushing out the links and failing to update their own malware detection service has to share some of it?
Like I said people on Windows are also being affected by a variant of this.
...if I use Bing or Yahoo I'm safe.
Phew. Thankyou for letting me know.
Right you do understand what spam is?
I will enlighten you, so you don't get caught.
Congrats you may have wone 1,000,000 english dollars. Click link to claim
http://nationallottery.com (link actually directs to dodgy site in nowherestan)
Land on page, detect OS (VERY easy to do), redirect to correct page.
"so this is Google's fault?"
Well the fanbois have got to find somebody to blame for (a) there being a big hole in their OS and (b) their fellow Mac users being stupid enough to fall for it.
So you click on that dogdy site link, it opens the web browser, which should then check the link against Google's Safe Browsing list, right?
I don't see how does change my original comment?
There is an anti-malware layer in most browsers these days even before you get into the operating system, be it OSX, Windows, or Linux. That layer IS NOT WORKING, although is advertised as doing so.
That layer is also operated by Google. Why is no one seeing this?
Forget your Windows or Mac preferences and look at what's going on.
"I doubt anyone would believe an e-mail saying they have viruses, it's ridiculous."
It might be ridiculous but that wouldn't stop people from believing it.
Fair enough, they would believe it, but they would still need to go to a webpage to install it.
There's no way the e-mail would include Windows and Mac executables of the "anti-virus" and still get through the e-mail AV scanners (fortunately those tend to work better than Google's Safe Browsing crap)
End of the day, no matter the entry point, users still need to go to a webpage for an attack like this, and the primary provider of webpage malware scanning (Google) is not only not doing their job properly but also providing the original malware links as highly ranked search results in the first place.
They also are beginning to sell ChromeOS where the inability to install malware like this (or any actual software for that matter) is one of main selling points. There is a clear conflict of interest here.
- Comment Renewable energy 'simply WON'T WORK': Top Google engineers
- Useless 'computer engineer' Barbie FIRED in three-way fsck row
- Game Theory Dragon Age Inquisition: Our chief weapons are...
- 'How a censorious and moralistic blogger ruined my evening'
- Amazon warming up 'cheapo web video' cannon to SINK Netflix