|
February 21, 2006
In addition to two malware threats emerging last week, a new, severe vulnerability
has been discovered for the Macintosh OS X operating system. While the new
worms are not in widespread distribution and Symantec is not seeing exploitation
of the vulnerability at this time, users of Macintosh OS X are advised to be
at heightened alert and consider the protection recommendations below.
The new vulnerability, announced on February 21, affects the Safari Web browser
of Macintosh OS X version 10.4. By default, the Safari web browser allows
for automatic installation of certain files types, such as .zip files. potentially
unwanted files or malicious programs. Symantec advises Safari users to turn
off the “Open ‘safe’ files after downloading” feature in the Web browser software
and while waiting for further details from Apple.
Last week, two Macintosh OS X worms have been discovered by Symantec Security
Response. The first threat, OSX.Leap.A, is spreading in the wild in low distribution.
On Friday of last week, our researchers discovered another Mac OS X threat
– OSX.Inqtana.A – however, the latest threat is a proof-of-concept threat and
is not spreading in the wild.
Symantec does not believe the two worms are connected by author. Both of these
threats are very low risk and only rated at Level 1 (on a scale of 1 to 5,
with 5 being most severe). But given the relative small number of threats related
to Macintosh operating systems, these worms have gained attention.
OSX.Leap.A
"This first Macintosh OS X threat is an example of the continuing spread
of malicious code onto other platforms," said Vincent Weafer, senior director
at Symantec Security Response. "However, this worm will not automatically
infect, but will ask users to accept the file, giving potential victims a heads
up and the opportunity to avoid infection. The important piece of advice for
any iChat users running Macintosh OS X (version 10.4) is not to accept file
transfers, even if they come from someone on a buddy list."
Symantec recommends that users of Macintosh OS X (version 10.4) ensure that
iChat will request permission before transferring a file and not to accept
incoming files.
OSX.Inqtana.A
"While this particular worm is not fully functional, the source code could
be easily modified by a future attacker to do damage," added Weafer. "Macintosh
users should be diligent about installing patches to their operating systems
as this will prevent attacks of this type."
Symantec recommends that users of Macintosh OS X keep antivirus and firewall
software, as well as operating systems, up-to-date, to provide maximum levels
of security. Users can obtain additional information on updating Macintosh
OS X software here.
If you believe you may be affected by the Apple Mac OS X Archive Metadata
Command Execution Vulnerability, Symantec advises Apple Safari users to turn
off the “Open ‘safe’ files after downloading” feature in the Web browser software. Users
are also encouraged to review Apple’s guide to safely handling files received
from the Internet.
If you own Symantec products:
 Step 1) Update Your Virus Definitions
If you own Norton Internet Security or Norton AntiVirus, Live Update will automatically install the latest virus definitions.
 Update Virus Definitions
Step 2) Follow Symantec's Worm Removal Instructions
Symantec's Security Response step-by-step removal instructions below will help you remove the worm if you are infected:
To Remove OSX.Leap.A:
- Delete the infected file
At the time of this writing, the file infected by this worm has the following
file name:
lastestpics
Delete this file. If this file has not been executed, no further action should be necessary.
- Delete any associated files and restart the compromised computer
If the infected file has been executed, delete the following file:
/Users/[CURRENT USER]/Library/InputManagers/apphook.bundle
The compromised computer must then be restarted to remove the infection from memory.
Note:
- [CURRENT USER] is the name of the user who was logged in when the infected file was executed.
- The worm may infect other applications. If you suspect that an application has been compromised, it should be replaced from a clean backup copy.
To Remove OSX.Inqtana.A
Delete the following files:
- /Users/w0rm-support.tgz
- /Users/InqTest.class
- /Users/com.openbundle.plist
- /Users/com.pwned.plist
- /Users/libavetanaBT.jnilib
- /Users/javax
- /Users/de
- /Users/[USER NAME]/Library/LaunchAgents/com.pwned.plist
- /Users/[USER NAME]/Library/LaunchAgents/com.openbundle.plist
Step 3) Keep Your System Up-to-Date
Make sure that your subscriptions are current by visiting Subscription Troubleshooter. You can also increase your protection by upgrading to the latest product version in the Symantec Store.
Visit Upgrade Center
If you don't own Symantec products:
Step 1) Follow Symantec's Worm Removal Instructions outlined above
Step 2) Buy Protection Now
The following products are recommended for protection from the Macintosh OSX and other known threats:
Home & Home Office
 Norton Internet Security 3.0 for Macintosh
Provides essential protection from viruses, hackers, and privacy threats. Safeguard
your Mac, your files, and your children online.
Price: $69.95
Learn More
Small Business
 Norton AntiVirus 10.0 for Macintosh
Removes viruses automatically, blocks certain Internet worm attacks, and protects
email and instant messages. Protect your Mac from viruses and worms and detect
spyware with the world's most trusted antivirus solution.
Price: $199.95
Learn More
To protect yourself from the Macintosh OS X worms and other threats, Symantec recommends that users:
- avoid opening unknown or unexpected e-mail attachments
- keep Internet security software up-to-date
- use strong passwords on any shared files
- back up user data to offline storage media
Security Response Information
|