I wrote:
> In addition, many campus Mac OS X users are likely to be working
>in a user account with Admin privileges - which is the default for
>the first account set up under Mac OS X - so any malware would run
>with those privileges.
At 15:43 -0800 2006-02-23, Tom Holub replied:
>I don't think that's necessarily true; an OS X account with Admin
>privileges still needs to authenticate (via sudo or a dialog box)
>before it gets super-user privilege.
Tom's correct: malware which reaches a user's system via this
gaping wide open Mac OS X vulnerability would run as if it were:
a) logged in as the current user; but
b) didn't know that user's password
which would prevent it, at least outright, from performing tasks
which require super-user privileges, even when running within an
Admin user's account.
> I think an attacker would have to convince the user to type in
>their password to run with super-user privilege.
True, and that's likely why its of greater concern if the current
user is an Admin user. Once malware is executed, if it can trick
that type of user into entering their user password, it will then be
able to perform just about any action it wishes on the system. A
script could pretty easily put up a convincing GUI dialog -
indistinguishable from a dialog presented by the OS or a legitimate
application - that might be able to trick a substantial fraction of
users to give up that password.
Even without having the user's password, a script which executes
with the privileges of the current user on a Mac OS X system -
whether or not the user is an Admin user, and whether or not the
script has access to that user's password - can typically wreak a
fair amount of havoc, from mischievous to malicious.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Fri Feb 24 13:02:35 2006
This archive was generated by hypermail 2.1.8 : Fri Feb 24 2006 - 13:02:35 PST