lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040218195950.GA8629@SDF.LONESTAR.ORG>
From: petard at freeshell.org (petard)
Subject: os x mass mailers

On Wed, Feb 18, 2004 at 12:09:54PM -0500, Joshua Levitsky wrote:
> Personally I hope someone is writing an OS X virus / worm to shut those
> people up about how secure the 3% using Macs are. How hard is it for someone
> to write a freaking osascript that tell application Address Book.app ... and
> then tell application Mail.app ... and you would have the same problems as
> windows. It would be nice to have a little less stress with Windows and let
> the others suffer for a while.

the script to do so is trivial... certainly easier than on windows, I'd
say. in fact, here's how to send a message with no user interaction at
all in applescript, provided mail.app is running and authenticated to
your server as required:

tell application "Mail"
    set newMessage to make new outgoing message with properties
{subject:"some witty subject", content:"some random garbage",
sender:"some@...er.tld"}
    tell newMessage
        make new to recipient at end of to recipients with properties
{name:"Victim", address:"victim@...er.tld"}
        send
    end tell
end tell

The issue is getting that to propagate on a large scale. There are 3
problems:
    1. Mail.app doesn't automatically execute incoming scripts.
    2. If you ship it as a "script" (even run-only) the only thing that
happens when someone double-clicks it is that script editor opens; it
doesn't run. Most mac users have never seen the script editor, wouldn't
like it, and would promptly quit.
    3. If you ship it as an application bundle, mail presents a very
dire warning about how you shouldn't open it because it may contain a
virus or be harmful to your computer and does not default to opening it.

Those 3 issues assume you've hit an os x user who runs mail.app. Other 
users just wouldn't be able to execute it if they want and are stupid 
enough to do so. And that's most of the recipient pool. (95% of the 
people in a non-technical user's address book are likely to be windows 
users. Not exactly fertile ground for an applescript virus.)

The combination of more difficult social engineering thanks to a safer
default configuration of the environment and a smaller user population
make writing this mass mailing trojan very unrewarding. The upshot is
that, as a practical matter, the 3% using Macs are much safer.

And you must just be an ass if you hope for more of this crap to clog
your mailbox, whether you use the platform in question or not. I haven't
been vulnerable to a single one of them, but they irritate me and I
certainly don't want more stuff like it bogging down my servers.

regards,
petard

-- 
If your message really might be confidential, download my PGP key here:
http://petard.freeshell.org/petard.asc
and encrypt it. Otherwise, save bandwidth and lose the disclaimer.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ