What is a Mach O file?
⌘+c malware smacks Macs, drains keychains, pours over Tor
More malware capable of pilfering Mac keychain passwords and shipping them over Tor has been turned up, less than a day after a similar rare trojan was disclosed. Dubbed Keydnap, the malware is delivered as a compressed Mach-O file with a txt or jpg extension, with a hidden space character which causes it to launch in terminal …
COMMENTS
-
-
Thursday 7th July 2016 13:57 GMT Anonymous Coward
Always avoided using Keychain with any Apple branded stuff. Was I right?
I suspect you're talking about the Cloudy shared thing, yes, that's worth avoiding. But I doubt that you've avoided the local OSX keychain (which would also be somewhat pointless IMHO, but your needs may differ from mine).
-
Thursday 7th July 2016 09:29 GMT David Lawton
Now i see why Apple have removed the run apps from 'Anywhere' option in Mac OS Sierra. I don't know why you would run with that option turned on unless the user has been told to by an idiot. Keep Gate Keeper set to App Store and Identified Developers only, if you need an app from else where and absolutely trust them just right click on the app and select Open, then an extra open option appears instead of being blocked with only an OK box. Simple and no need to compromise part of the security.
-
Thursday 7th July 2016 14:01 GMT JLV
Yeah, but there are legitimate reasons to accept run-this-even-though-it-was-downloaded apps at least on demand, as you yourself just explained how to do. Since the article specifically said the infection entry context wasn't known, Gatekeeper need not have been blanket disabled. What about, for example, a compromised but previously benign 3rd party app that needs an install exception? I install little - every new proggie is a risk - but not much of what I need is on the Apple app store.
Let's be careful and not just smugly trust that Apple's security is foolproof.
-
Thursday 7th July 2016 15:47 GMT AndyTempo
Running unsigned code
I have gatekeeper set to app store and identified developers however I can compile and run executables without signatures. How does that work?
---------
[orion:~/asm] andy% cat hw.c
#include <stdio.h>
int main(int argc, char **argv)
{
printf("Hello, World\n");
}
[orion:~/asm] andy% gcc -o hw hw.c
[orion:~/asm] andy% ./hw
Hello, World
[orion:~/asm] andy%
-
Friday 8th July 2016 04:50 GMT Crazy Operations Guy
" reads securityd’s memory "
What kind of OS doesn't throw an exception when reading the memory space of a privileged process? Any secure OS would crash itself immediately if any non-kernel process attempted to read the memory space of any security-related process. Fir process-to-process communications for application that require access to the security database, it should be done through a process that is completely non-privileged except the ability to read a very small, public chunk of securityd's memory space.