New Attack Exploits Flaw in Apple Computers

By Brian Krebs Staff Writer
Friday, June 30, 2006; 1:31 PM

Editor's Note: The text below is a posting from the Security Fix blog, which updates a previous version of this story.

Symantec is warning that it has detected a new piece of malware that tries to exploit a flaw in Mac OS X systems that Apple released a patch to fix just two days ago.

"OSX.Exploit.Launchd," exploits a security hole in the "launchD" service, which controls which programs should boot up whenever a user restarts a Mac. According to Symantec, this exploit provides the attacker root access -- or total control -- over any Mac system running OS X version 10.4.6 or earlier. Read Symantec's alert here.

Security vulnerabilities can be difficult to exploit on Mac systems because of the way the operating system was designed: Namely, the default account that the average person uses to browse the Web and use the system does not have full privileges to change system settings. In most cases, even if a Mac user were to accidentally download a piece of malware that tries to take advantage of a flaw in OS X, it would still not have permission to delete files or change system settings, unless the user first provided their password (which in theory should alert that user that something is going on.)

An attack that leveraged this flaw in launchD, however, would give the attacker full system rights just by convincing the recipient to execute the malicious code (no password needed).

Eric Sites, with Web security firm Sunbelt Software, said the trojan was likely to end up in a mass mailed e-mail worm at some point.

"Once you have root access you can do anything you want to Mac OS or the user's data files," Sites said. That would include the ability to wipe all data from the hard drive, completely reconfigure the system, install a rootkit to maintain control over the system indefinitely, he sadded.

Symantec's write-up is fairly limited at the moment, but the company says it should have more information shortly. The company said it its automated Web crawlers spotted the malware, but I wonder if it didn't just pull down a copy of exploit code for this vulnerability that was posted to a popular hacker site just two days ago. At any rate, I will update this post as more information becomes available.

Update: 3:05 p.m. ET: As I suspected, Symantec didn't find anything actually wielding this exploit in the wild, even though called the thing "a Trojan horse." In an interview just now, the company acknowledged that its sensors were in fact triggered by the exploit code published earlier this week online.

"What this will allow is for malicious code to embed itself deeper into the operating system than may have been possible previously," said Oliver Friedrichs, director of emerging technologies at Symantec Security Response. "But I don't see this turning into the next big Internet worm or anything."

© 2006 The Washington Post Company