New Mac scareware variant installs without password Scammers have developed a strain of Mac scareware that avoids the need to trick a mark into entering an administrative password. Earlier rogue anti-virus strains, such as MacDefender, need permission to run, a hurdle MacGuard neatly sidesteps. MacGuard works on the premise that home users have administrator rights, meaning …
"Administrator privileges" tends to be synonymous with unfettered access to anything on a computer. A default install of OS X will require a password be entered for a bunch of tasks, such as viewing things stored on the keychain, making changes to certain system preferences and some other things.
However, you're quite right because on a default install, and I'll wager on 99.9% of machines out there, the single user has a tick against 'Allow user to administer this computer' and can write whatever they want to /Applications, whenever they want. Combine that with Safari shipping with 'Open "safe" files after downloading' ticked by default and it's easy to see how this program installs itself, given that archives are considered safe and I guess one of the archive formats doesn't properly guard against absolute paths.
All of the proper, internal paths should be properly locked down by default, so in theory this program shouldn't be able to do anything to stop you from just dragging it to the trash and hence uninstalling it. That said, it should still be a major embarrassment that it can install itself in the first place.
The user has some sort of admin priv by default? Isn't that the reason why XP gets hit by so much crap? Are the Apple devs so stuck in rose-tinted glasses that they didn't look to see that that was one of the big cock-ups of new-gen Windows (i.e. when they took the NT security model and completely rogered it)?
nt, 2000, and XP did. If you ran the installation disk, you were prompted to set the admin password. The admin password was NOT blank by default - that was a choice made by the manufacturers who shipped pre-configured PCs. Lots, and Lots of Fail there, but not by MS.
there was effectively only a single user, with some slight trickery to allow some applications to store their defaults in different places for different 'users'.
All users were effectively administrator accounts, and as Fat16 and Fat32 filesystems did not have any form of security-by-user, the entirety of the system disk was vulnerable to infection by any account logged onto the system.
As a sideline, this last point is exactly why you should never do a WinNT, 2000 or XP install using Fat32 as the filesystem for the system disk, as this negates almost all of the security that segregated privileges provides.
On a side note, on XP and Windows 7 (not done a Vista install), the administrator password that is asked to be set up during install is indeed a hidden account that can only be used when the system is brought up in system recovery mode (or similar). This is intended to be used when the system will not start, or when users forget their own passwords.
By default when using the MS XP install process, the first named user account that is set up will be an administrator account unless changed. If you set up more than one user account during the install, the subsequent ones will be not have administrator rights, by default, but this can be changed.
But there is another point here. Many 'canned' Windows installs (for example, from system recovery disks) will not use the normal XP installation process, so even those users who have restored their system will not have seen this setup process. Only those wearing hair-shirts, and doing everything from lowest common denominator (MS install disks and vendor driver disks) will have seen these accounts being set up. But those of us who have done it this way KNOW that Windows installs are FAR, FAR more painful than some of the other OS offerings out there.
I have both built systems from the ground up and used system restore disks. Frankly, I cut my teeth IT teeth on Radio Shack PCs left the hobby for a while and then started learning it again with DOS 3.3.
Once MS realized the PR problems they were having because system vendors (and don't get me started on the early broadband providers helpfully setting accounts to auto-login admin users) were bypassing the account password setups they changed the OEM agreements to require the use of abbreviated setup screens where users are required to provide the passwords. So while the end user doesn't see the exact same screens as an OEM installer, they still answer the same questions. You can still enter a blank password, but it is an ACTIVE choice instead of a default.
I'm no MS apologist. Frankly if I had been the judge in the Netscape case they would have lost their shirts for violating their prior consent decree to not tie application sales to their OS, and it is possible some of their lawyers would have been turned over to the bar for ethics violations. But facts are important things and it is therefore important to keep them straight. And all of that is because of the number of times I installed their software for our OEM shop back in the day.
That is the admin account for system recovery. Can't use that to log in when the system is booted normally.
The install process gives first user account set up admin rights. Subsequent ones will normally be ordinary users unless specifically changed. I always create my own admin account as the first account, and then create additional ordinary accounts for each of the kids for day-to-day use. I never give the kids the password for the admin account I created. I normally install any programs that then need admin rights.
For those awkward programs that have to have admin rights in order to run, I also create a second admin account, which I then fix in the Registry so that you can't log in using it, and tell the kids to use "Runas" with this account for any applications that won't work from their ordinary accounts.
It's not perfect, because you can really run anything with Runas as long as you can find it on the disk. But it meant that I was able to have one of our shared machines virus free for years (also have external firewall to block direct malicious traffic).
I think some of this must have stuck in the kids minds, because now they are older, and have their own systems that they control completely, they often keep using this model, and generally have less problems that their peers.
There is an Administrator account, yes. It may or may not have a password, yes. But why bother when *by* *default* the user account generated at start-up is given system wide "admin" permissions? I have two accounts on my little machine. The first, "Rick", was created during the initial setup. I can do anything from the get-go. The second, "Internet", that I created, is a limited user and can't do much. Can I run as a limited user all the time? No, for updates and stuff only appear to the priv account (remember, this is XP, I think they finally made this work properly in Win7?). There's more, but it's boring...
So, to the "average" home user: How many would you imagine even realise there are Admin/Limited account options, and understand what the differences are?
Anyway... can't believe this mistake is still being made. <sigh>
The consumer market always makes a the tradeoff between ease of use and security to favor the non-technical consumer. Linux, not being as widely adopted for consumer market general purpose computer, doesn't make the same tradeoff. Because it tends to be used/deployed only by knowledgeable techs, the tradeoff is kept on the security side. I think once you see Linux more broadly adopted by the consumer market, you'll see similar issues there. The technorati will still have relatively secure computers but the masses won't.
I still think Linux is inherently better positioned to be configured securely, it is just that mass market deployments don't support security.
"I think once you see Linux more broadly adopted by the consumer market, you'll see similar issues there. The technorati will still have relatively secure computers but the masses won't."
Read the fine print in the article, Tom 13:
"MacGuard works on the premise that home users have administrator rights, meaning they don't need to enter the administrator password to install software in the Applications folder."
Both Linux and MacOS are based on Unix. However, even more user-friendly versions of Linux force their users to _deliberately_ take superuser privileges (such as via sudo) every time they want to do anything administrative. Each time, users have to enter the right password.
Linux distributors assume that people do not need administrator rights 24/7. So there is no easy "Allow user to administer this computer" checkbox that gives users automatic administrative privileges. Nor do I hope there ever is - because the result would be a spit in the eye of the principles of Unix. Neither do I think this checkbox will ever be necessary - sudo is a one line command that is easy to type. (But typing your password should make you think.)
MacGuard-like behavior would affect Linux machines where (a) the only user is root, or (b) a user gave himself administrative privileges by default. But both these behaviors are actively discouraged by any Linux distribution you care to name. And if people do this and get infected, others will reckon "serves the bastard right for being so stupid!"
'Open Safe Files' shouldn't ticked by default anymore - I don't think it has been for quite a few versions of Safari now, not since it was pointed out how obvious a security flaw this could be in the early days of psuedo-Trojans like the Applescript disguised as a JPG or MP3.
This malware STILL requires the user to install it as far as I can see - it doesn't auto-run the installer package.
I've seen the MacDefender and MacGaurd pop-ups appearing a LOT recently when following links from Google's search results en-route to reputable sites. It's the social-engineering aspect which always was, and still is, the weakest link.
indeed, i got it from a google link yesterday. It did downloaded automaticly without asking but at the install step I got a confirmation pop-up. In fact, nothing can be install on my mac without prompting for the password and I didnt changed any settings regarding security.
the first account setup is an 'admin' account, but by default this gives them very little additional access to the system. What it does, however, is add them into the "admin" group which is setup so that they can use sudo when required to run commands with enhanced privileges. Thus in normal day-to-day use, the system is safe, and you can just worry about things that fire up the request for the password.
If you set up additional accounts without adding them to the "admin" group, they will not even be able to run sudo or use any of the additional commands that need sudo access to run (like package managers, for example). This makes those user accounts safe even from users who click "yes" to everything. Their personal information is still vulnerable, of course, but they will not be able to touch any of the system files or directories.
I though that OSX was the same, but if there are application directories that can be written to by one of these accounts without needing to use sudo, then it's security is significantly weaker than I thought. I will thus nod to everybody who has been saying that OSX no better than Windows, admitting that I was not totally correct, but point out that it is still better than the all-or-nothing situation in the pre-Vista Windows world.
They buggered the pooch by disallowing the 'Root' account (now one must go in and finger-f*** the init files to enable a root login.
The prior linux/unix security mode worked perfect, until they started to futz with disallowing root login and forcing sudo. This, IMO is a much greater security hole than they had before. And many of my long-time linux/unix peers agree.
Trying to 'simplify' linux to appeal to mac-lusers and windows-whiners creates a set of problems which never existed before.
And use the upstream Debian instead. Debian has it the other way round: Sudo disabled for all users by default, and a root password is mandatory. Counterintuitive to Win9x users, yes. But I was sold on the idea of safe computing on the very start. Granted that I do log in to the root account from time to time to perform dist-upgrades, but SSH on the box is disabled, and it's behind one helluva tight firewall on a separate dual-homed BSD machine. Tight as in nothing gets in or out- the computers can only connect to the internet via a set of proxy servers (Squid, Socks and RTSP) set up on said firewall.
I also find Debian's sudo disturbing- why does it grant superuser access with just the standard user's login? Asking for the root password (like OpenSuSE's sudo does) is the correct thing to do!
Do you think you don't have to press OK in Windws to install something, it just installs by itself? There is always some button but to novice as most of us are it looks like a ligitimate OK. Macs are less secure than Windows generally speaking, they are just not attacked as much. Expect more similar stories in the future.
This so called "story" is a complete fabrication.
Macs are super special awesome and never have viruses. They are soooo much more secure than everything else.
Reg reporters need to learn to be a real reporters and do some research... This is completely false. Nothing, not ever Fort Knox, is more secure than Apple.
This post has been deleted by its author
Number 1 problem is "open 'safe' files" default setting, notice the quotes there, put by Apple themselves!
You can also make "Downloads" non executable, UNIX has that capability but, they won't dare as it will create serious usability problems and idiot developers still insist on not using OS X installer (including browser makers) so, drag&drop would be effected.
If I was Apple, I would assign couple of developers to anonymously contribute data to Clam database as Clam guys have problem understanding Mac threats and taking them serious.
"Open safe files" has not been a default setting for a couple of years now, plus a Mac user would have to be as dull-witted as the average MS fanbois to actually install this POS. All right, I'm just trolling you there, but there are countless people with pee-cees and Macs who happily click on anything they think looks interesting or, better still, free. Most of humankind who use a computer haven't the faintest idea what makes it tick. I drive a car, but if it went wrong and I had to fix it, I wouldn't know which end of a hammer to hit it with. You and I might be cynical and clever enough not to click on an "install trojan now" button, but there you are. Maybe we're just lucky.
I use Macs and I have Intego Virus Barrier installed on all three (no, this isn't an ad for Intego) and have done so for several years. Now that Macs are becoming so popular it is inevitable that the Russian Business Network or whoever is behind it would turn their attentions to the shiny stuff as well. They might be crooks but they're not completely stupid.
So I was thinking about this trojan recently. Not just the Mac version, but the Windows as well.
Ok, so first we have the actual transmission method of this trojan, which relies on poisoning Google's search results with links to the malware . Google's failure 1.
Then Chrome, Safari and even Firefox (if you have Google's stuff) all have an option to warn about malware. They all are powered using Google's Safe Browsing feature, which keeps a central database of sites found to serve malware, but apparently not this one. So that's failure 2.
Isn't that a lot of failing from Google?
Isn't also Google now pushing out their ChromeOS, which - due to it's design doesn't run apps or let you install anything - is impervious to these type of attacks?
I find the timing very convenient.
I did say in the original title, FAIL but not only Apple.
Apple of course is to blame here with the "safe" file opening, but surely Google being the ones pushing out the links and failing to update their own malware detection service has to share some of it?
Like I said people on Windows are also being affected by a variant of this.
"If I remember correctly from the original article, Safari will auto-open any file it recognises as being "safe", which is part of the problem. Wouldn't you call that a massive fail from Apple?"
The article's wrong though. Apple 'fixed' this issue several version of Safari ago. It no longer ships with the option checked by default, you'd have to deliberately turn that option on yourself.
Fail averted?
(although you're still right about the distortion field LOL)
Problem is, I've met tons of Macs users who had never, ever run System Update. Ever. Under the excuse of "It ain't broke, why fix it?".
Seriously, the solution to this problem is to teach safe computing in school. Be it Linux, Windows, Mac OS, Solaris or BSD, if the user is gullible, then the computer is always at risk.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
