Scott's Weblog The weblog of an IT pro specializing in virtualization, networking, open source, and cloud computing

Trojan Horse Exploiting OS X Flaw

Within the last couple of days, the Symantec Security Response web site posted a warning about a new Mac OS X-based trojan horse called OSX.Exploit.Launchd. This trojan horse supposedly takes advantage of a vulnerability that Apple patched with the recent Mac OS X 10.4.7 update (for both PowerPC and Intel Macs). This vulnerability, if exploited, can result in root access. But that’s not all of the story.

The disclosure of this trojan horse—which, to my understanding, has not yet been seen in the wild—is making the rounds on more than a few web sites. The problem is that most of these sites are discussing the trojan horse, but aren’t discussing one very important fact about this trojan horse: it requires a local account.

That’s right, folks, this is a local elevation of privilege account that requires that an attacker already have a local account on a system in order to exploit the vulnerability. To quote the SecurityFocus BID for the Launchd vulnerability:

Apple Mac OS X ‘launchd’ is prone to a local format-string vulnerability. A local attacker can exploit this issue through a malicious ‘plist’ file that includes externally supplied format specifiers that will be passed to the vulnerable code.

The key word here is “local.” If a malicious user already has an account on your system, all bets are off anyway (in my books, at least).

This is not to make light of the vulnerability; it’s good that Apple patched the vulnerability in the latest update to Mac OS X. However, I don’t think that the level of media attention and hype being given to this vulnerability and supposed exploit are appropriate with the severity of the flaw. If this were a remotely exploitable flaw that could be easily scripted and automated, then there’d be significant reason to worry. But it’s not, and as a result the likelihood of widespread “infection” from this trojan horse is pretty slim.

Be social and share this post!