Markus

Have a read of this. More info on it can be found here.

My take on it. Well, it's interesting, as it's injecting code into an executable, quite a nice little trick. A serious threat? Not really. The post that contained the file has been removed, plus, and this is the big point, if you downloaded it and ran it, then 99 percent of the time you'll be asked for an Admin password.
Now, who has ever been asked for an admin password to view a JPEG? That should give you a big clue that Bad Things Might Happen if you actually enter the password.

The other 1 percent of the time would be if you have, within the last, 60 seconds or so, used Admin authorisation, or you are logged in as a root user.
Now, if you're logged in as root then you're asking for trouble anyway. I've always been told to never log in as root on OS X unless you need to, and if you do, don't stay logged in as that user, and certainly don't use it as your regular account.
If you're an Admin user, then you can "sudo" or "su" in the terminal so there is no need to login to the machine as root anyway.

JackClark

Not sure if this is the same one, we've only just got hold of it, the page will be updated shortly

http://vil.nai.com/vil/content/v_138578.htm

Markus

Jack,
Sounds like it's the same. I've seen Leap mentioned as the name.

Essentially it's a file that alleges to contain JPEG pictures of 10.5. When you double click on it, it asks for admin password, and then installs itself. Tries to spread itself using Bonjour.

Interested to see what, if anything Apple does about this, as some applications legitimatley inject code into applications/memory, to "patch" things. Stuff such as Unsanity's haxies and things like that.

JackClark

I don't see is as that much of an issue, you have authorise it. Big news in PR terms though.

Anyhow, apologies to the Mac community, I knew as soon as I switched the problems would follow me.

Markus

Jack,
Neither do I. If you are silly enough to enter an admin password for opening a jpeg file then your'e asking for trouble. Yes, some people aren't as computer literate as they should be, and probably think this would be normal behaviour and know no different. Same people probably click on the links in the emails form banks asking for them to verify their credit card details.

Agree that PR wise it IS a big thing. But again, requires user interaction, so it's not a silent attack.

From a tech viewpoint it does display a hole in the security, but what was more worrying to me was how Apple would approach a fix. Our software injects code into things, as we need to "patch" various things. Depending on how Apple fixes things, ie; would it stop code being injected, then it could prevent certain parts of our software from working. However, I don't think it's going to be a problem, as the way we do things is used by the kernel itself for, if I've got it right, inter process communication, so it's not something they could block.

JackClark

Our pages have now been updated.

One of my favorite viruses was called Polite, it asked if you liked to be infected when the code was executed. Now you'd think that would be clue enough, but this particular macro virus was in our top ten for quite some time.