F-Secure Corp. has discovered what may be a first: Adware that
can be installed on Apple Computer Inc.'s Mac OS X operating
system. Meanwhile, a researcher who goes by the name LMH, continues
to hammer away at the Mac by exposing new flaws as part of the
Month of Kernel Bugs.
The Finnish security firm said in its
blog that iAdware is a proof-of-concept sample that probably
wouldn't be worth mentioning if not for the fact that it's designed
for Mac OS X.
"In theory, this program could be silently installed to your
user account and hooked to each application you use … and it
doesn't require administrator rights to do so," F-Secure said.
"This particular sample successfully launched the Mac's Web browser
when we used any of a number of applications."
The vendor wouldn't disclose the exact technique used to install
the adware, but did describe the entry point as a feature and not a
flaw.
More from the Month of Kernel Bugs
As F-Secure was examining the adware, researcher LMH was busy
exposing more Mac flaws as part of his Month of Kernel Bugs
project. According to the researcher, Mac OS X fails
to properly handle corrupted universal binaries, "leading to an
exploitable memory corruption condition with potential risk of
kernel-mode arbitrary code execution."
The flaw is caused by an integer overflow in the
fatfile_getarch2() function. "Local unprivileged users can abuse
this issue with specially crafted Mach-O 'Universal' binaries," LMH
said in an advisory.
The operating system also fails
to properly handle corrupted Mach-O binaries, leading to an
exploitable memory corruption condition. "This is triggered by
execution of a Mach-O binary with a valid mach_header structure and
corrupted load_command data structures," LMH said. "Local
unprivileged users can abuse this issue."
Meanwhile, LMH reported an
error in the "kevent()" [kern/kern_event.c] function when
registering certain kernel events. Local unprivileged users could
exploit this to "panic a vulnerable system" and cause a denial of
service.
Last week, the researcher reported a
memory corruption error in the "com.apple.AppleDiskImageController"
function that appears when corrupted DMG image structures are
handled. Attackers could exploit this to cause a denial of service
or execute arbitrary commands by convincing a user to visit a
malicious Web page using the Safari Web browser.
Attacking the alternative
Though many consider it a more secure alternative to Microsoft
Windows, Mac OS X has come under intense scrutiny in recent months.
Earlier this year, the
Mac was targeted by malicious code for the first time.
In August all eyes were again on Mac security when researchers
David Maynor and Jon "Johnny Cache" Ellch showed attendees a video
in which Maynor used a Dell Inc. laptop to
compromise a MacBook in about 60 seconds, just by targeting its
wireless card and wireless device driver.
Though the MacBook was fitted with a third-party device driver
for that demonstration,
Apple eventually acknowledged and fixed a Mac Wi-Fi flaw.