Re: Security Update 2006-002 Released

In article <Tv%Rf.23232$Cp4.9283@edtnps90>,
me@xxxxxxxxxxxxxxxxx (Király) wrote:

bride_of_excession <bride_of_excession@xxxxxx> wrote:

OyVey! If it doesn't give an authentication prompt it can't install
anything.

Wrong. Any admin user can install software without being prompted
for an administrator's password, because /Applications is group
writable by admin. Try dragging anything to /Applications; if you
are running as admin, then no authentication is needed. Under a
non-admin account, authentication is needed.

So far so good. Except that using the OS X Installer requires the admin
password even when logged in as the admin user. Thus people writing Mac
malware aren't going to make it a .pkg! It'll be a command line
application embedded in something innocuous.

That keeps malware out, whereas running as Admin means your
/Applications folder is wide open to malware exploits.

That's false. Malware doesn't have to install into /Applications to
run, so not running as an admin user can give you a false sense of
security. And malware will probably be named with an initial '.' to
make the file invisible in the finder, a simple ruse to hide it from the
average Mac user who probably knows little if anything about .filenames
or how to make them visible.

I think you are confused -- It's not like Windows, using the admin
account is *not* the same as being root. OS X uses sudo and is
quite secure while running as admin user.

That's true, but admin rights on OS X grant access to areas that
could be exploitable by malware, such as /Applications and /Library.
Running as admin, a piece of malware could modify those areas without
your knowledge or consent. Running as a non-admin, malware cannot
touch those areas unless the malware prompts you to enter an
administrator's username and password, which should set off major
alarm bells.

Same problem. You seem to think that malware can only do damage if it
is installed in /Applications or have access to /Library, etc. That's
false. Malware installed in ~/Applications can do just as much damage
from the user's perspective, such as a keylogger to facilitate identity
theft. BTW there are existing Linux keyloggers that could probably be
trivially adapted to OS X which have no GUI and would not be detectable
by the naive user (which probably includes me).

In fact the only real difference between admin and normal user
accounts is membership in the admin group.

Exactly. And membership in the admin group means elevated priviliges
that could be exploited by malware, exploits that wouldn't happen by
running as a non-admin.

You're not looking at the picture that malware authors are looking at:
how can I get Joe User's Social Security number, credit card number
complete with security number, Web site IDs and passwords, etc. You
don't need to install into /Applications to do that. You can do it from
any directory the user had privileges to r-w-e. The malware author
doesn't want to to trash your hard drive or delete your data- they want
access to your money. You're every bit as vulnerable to that as a
non-admin user as you are as an admin user.
.

Relevant Pages

  • Re: Adding programs to "limited" account users
    ... E.g. MS Works calendar is ok for my admin user, ... >an admin account in order to install. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Security Update 2006-002 Released
    ... are running as admin, ... non-admin account, authentication is needed. ... /Applications folder is wide open to malware exploits. ... I never said that malware needs to install into /Applications to run. ...
    (comp.sys.mac.system)
  • Re: besieged by ie pop-up ads
    ... You would appear to have some kind of root kit or malware system that has ... intercepted the file system drivers and is hiding the malware from any ... scanner you might install at this time. ... Running as admin or allowing ...
    (microsoft.public.security.virus)
  • Re: besieged by ie pop-up ads
    ... You would appear to have some kind of root kit or malware system that has ... scanner you might install at this time. ... Next, make all users on the system normal users, set up the kid as a normal ... Running as admin or allowing ...
    (microsoft.public.security.virus)
  • Re: MAMEWORLD is DEAD ?
    ... Only be Admin when you install or configure stuff. ... But if you catch malware while beoing Admin the whole system is compromized and the only way to get it clean for sure is to reformat the partition again. ... The malware was installed with permission if you remove the ability to install/remove programs in windows it affects the usability of the OS. ...
    (alt.games.mame)