Adware targets Mac OS X

As F-Secure notes what may be the first example of adware designed for Macs, researcher LMH reports more flaws in the operating system as part of the Month of Kernel Bugs.

F-Secure Corp. has discovered what may be a first: Adware that can be installed on Apple Computer Inc.'s Mac OS X operating system. Meanwhile, a researcher who goes by the name LMH, continues to hammer away at the Mac by exposing new flaws as part of the Month of Kernel Bugs.

The Finnish security firm said in its blog that iAdware is a proof-of-concept sample that probably wouldn't be worth mentioning if not for the fact that it's designed for Mac OS X.

"In theory, this program could be silently installed to your user account and hooked to each application you use … and it doesn't require administrator rights to do so," F-Secure said. "This particular sample successfully launched the Mac's Web browser when we used any of a number of applications."

Mac OS X security:
Mac OS X flaw exposed

Column: Hey, Mac. Is that a worm in your Apple?

Threats don't diminish Mac's reputation

The vendor wouldn't disclose the exact technique used to install the adware, but did describe the entry point as a feature and not a flaw.

More from the Month of Kernel Bugs
As F-Secure was examining the adware, researcher LMH was busy exposing more Mac flaws as part of his Month of Kernel Bugs project. According to the researcher, Mac OS X fails to properly handle corrupted universal binaries, "leading to an exploitable memory corruption condition with potential risk of kernel-mode arbitrary code execution."

The flaw is caused by an integer overflow in the fatfile_getarch2() function. "Local unprivileged users can abuse this issue with specially crafted Mach-O 'Universal' binaries," LMH said in an advisory.

The operating system also fails to properly handle corrupted Mach-O binaries, leading to an exploitable memory corruption condition. "This is triggered by execution of a Mach-O binary with a valid mach_header structure and corrupted load_command data structures," LMH said. "Local unprivileged users can abuse this issue."

Meanwhile, LMH reported an error in the "kevent()" [kern/kern_event.c] function when registering certain kernel events. Local unprivileged users could exploit this to "panic a vulnerable system" and cause a denial of service.

Last week, the researcher reported a memory corruption error in the "com.apple.AppleDiskImageController" function that appears when corrupted DMG image structures are handled. Attackers could exploit this to cause a denial of service or execute arbitrary commands by convincing a user to visit a malicious Web page using the Safari Web browser.

Attacking the alternative
Though many consider it a more secure alternative to Microsoft Windows, Mac OS X has come under intense scrutiny in recent months. Earlier this year, the Mac was targeted by malicious code for the first time.

In August all eyes were again on Mac security when researchers David Maynor and Jon "Johnny Cache" Ellch showed attendees a video in which Maynor used a Dell Inc. laptop to compromise a MacBook in about 60 seconds, just by targeting its wireless card and wireless device driver.

Though the MacBook was fitted with a third-party device driver for that demonstration, Apple eventually acknowledged and fixed a Mac Wi-Fi flaw.

Read more on Operating systems software