One of the great injustices of the computing world was finally addressed last week — Mac users can no longer complain that Windows folks get to hog all the viruses for themselves. Now they have some of their own.
As my colleagues Brian Krebs and Mike Musgrove wrote in Friday’s paper, a new, largely ineffectual virus has begun targeting Mac OS X 10.4 Tiger, the latest version of Apple’s operating system.
This particular piece of malware — called “OSX/Leap.A” by Symantec and “Oompa-Loompa” by Mac software developer Andrew Welch, who published one of the first documentations of it online — comes disguised as a compressed archive of the latest screen shots of Apple’s next operating system.
But when you decompress this “latestpics.tgz” archive, you only see a single file that has a JPEG picture’s icon — except that file is a small program that will embed copies of itself in other programs on a Mac, then spread itself via Apple’s iChat instant-messaging program.
So how much trouble are Mac users in? Is it true that, as Krebs wrote in his chat, “the security honeymoon may be over for Mac users”?
I don’t think so. First, there never was such a thing as a security honeymoon. Mac OS X was and remains more resistant to malware attacks than Windows, thanks in large part to the restrictions it places on the ability of any user and any program to tinker with the guts of the system. (You’ll find this same basic defense deployed in Microsoft’s Windows Vista when that successor to Windows XP ships later this year). But the Mac never was and never will be Shangri-La.
An application that persuades or tricks you to enter an administrator’s password can do just as much damage as anything in Windows, and one that doesn’t make that request can still nuke all of your data, which can be just as bad in practice. And that’s been the case since the day Mac OS X 10.0 shipped (see earlier reports of OS X security issues here and here).
The Leap/Oompa-Loompa virus should be pretty easy to spot in practice. If you download this “latestpics” archive with Apple’s Safari browser, you’d normally get a warning that the archive contains an application. And in many Finder views, the file inside the archive will be clearly labeled as an application, not a JPEG.
But people will click past even the most urgent warnings and ignore even the most obvious signs of danger. And if they did that with this virus, they’d be out of luck; although it inserts code that modifies every other application on the computer, that action does *not* require entering an administrator’s password in the default administrator-account setup — unlike most sweeping changes in OS X. (There’s a good, moderately technical discussion of the feature exploited by this thing at the Daring Fireball blog.)
If you run a Mac, the drill is the same as it was before: Keep up to date with Apple’s security updates and be skeptical about files that come from strange sources. (At the very least, use the Finder’s Get Info command to inspect a new download.) There is also a good, free anti-virus program for the OS X, ClamXav (here’s our review of it).
One positive thing may come from all this: With actual OS X attacks floating around the Internet, perhaps we can end the tedious debate over whether the Mac is secure only because nobody bothers to write any attacks against OS X.
By: Rob Pegoraro
Read more about Mac computing from Rob Pegoraro at www.washingtonpost.com
