哭狼

首先,上周的'MP3Concept特洛伊木马'惨败摘要:

  • MP3Concept确实是一个特洛伊木马, but the only known instance is utterly benign — a harmless but quite clever proof of concept that a single file can be both a CFM Mac application, and also a valid MP3 audio fileImagine if the Greeks had built a gigantic wooden horse, but instead of filling it with army troops, they had simply left a note inside telling the Trojans to be careful.

  • Technical details aside, the basic idea is that MP3Concept is an application, with HFS file type ‘APPL’, and the Finder reports its kind as such.

  • 它的图标是iTunes的MP3文档图标的副本This icon has nothing to do with the “.mp3” file name extension, nor is it a pasted icon set through the Get Info windowIt’s the application’s icon, stored in the file’s resource fork.

  • Thus, the icon looks like that of a normal MP3 file, and the filename, “virus.mp3”, looks like that of a normal MP3 fileThus, the CFM trickery that allows the file to work both as an app and an MP3 file — while clever — is mostly beside the point.任何normal CFM app can be assigned an icon and file name that make it appear, at a glance, to be a file and not an app.

  • 这不是Mac OS X特有的The “virus.mp3” application works on both Mac OS X and Mac OS 9.

  • No one with any sense would ever claim that Macs are impervious to viruses, worms, or Trojan horses.特别Trojans — which just about anyone with a 3-digit IQ could put together例如。:

    1. Write an AppleScript that displays a dialog, then quits.
    2. 将其另存为脚本应用程序。
    3. 将其命名为“some_song_title.mp3”。
    4. Use the Finder’s Get Info window to paste the icon from an iTunes MP3 file onto the script app.

    - 你刚刚写了一个无害的特洛伊木马。

    Now, change step #1 from displaying a harmless dialog box, to, say, deleting the contents of the current user’s Documents folder, and you’ve written a dastardly, albeit not particularly clever, Trojan horseYou don’t even need to be able write AppleScript; you can simply use Script Editor’s record feature.

  • The crux: it has never been safe to blithely double-click a “file” downloaded from an untrusted source simply because its icon looks like that of a normal document.

评分参与者

博林德伯格

他是“virus.mp3”概念验证的作者posted to comp.sys.mac.programmer.misc on March 20

判决:无可指责Lindbergh’s proof-of-concept is completely innocuous, and the technical details of his technique are quite cleverIf there’s anything he should have done differently, it’s the unfortunate name he chose for his demo“virus.mp3” is not a virus — it’s a Trojan horseA file name such as “example.mp3” would have been betterBut, I suspect Lindbergh never imagined the hubbub his demo ended up provoking.

Intego公司

“Macintosh安全专家”,VirusBarrier的制造商,他们的press release announcing protection against “MP3Concept”begat the hysteria.

判决:无耻无能Intego’s press release is riddled with serious inaccuraciesThe crux of the press release is this:

Due to the use of this technique, users can no longer safely double-click MP3 files in Mac OS XThis same technique could be used with JPEG and GIF files, though no such cases of infected graphic files have yet been seen.

这不正确“virus.mp3” is an application, not a document, at least in terms of how the Finder treats it on both Mac OS 9 and OS XAn accurate, non-sensational way of issuing their warning would have been to say something like:A malicious application can be disguised using an icon to make it look like a document.

Intego还声称:

Mac OS X displays the icon of the MP3 file, with an .mp3 extension, rather than showing the file as an application, leading users to believe that they can double-click the file to listen to it.

这是错误的It’s either a deliberate lie, or written by someone with no genuine understanding of what’s going onEither way, it discredits Intego.

This is how the Finder displays the “virus.mp3” file, in list and column view:

'virus.mp3'显示在Finder的列表视图中

'virus.mp3'显示在Finder的列视图中

There’s no question that one might be fooled into thinking it’s an MP3 document, glancing only at the icon and filename, but in no way is the Finder erroneously indicating that it is anything but an application.

Computer security is serious business; warnings about newly-discovered threats demand precise and accurate technical descriptionsIntego’s press release regarding the MP3Concept “threat” is vague and inaccurate不可原谅的。

MacJournals

4月10日的问题MDJ(and the April 11 issue of its weekly siblingMWJ) contained an exhaustive look at the entire saga, including an outstanding explanation of the CFM trickery Lindbergh used to stash both the executable binary code and MP3 data within the data fork of a single file, analysis of the embarrassing factual errors in Intego’s statements, and a scathing look at the press coverage.

判决:出色,及时,全面的报道。

(披露:我在2003年偶尔为MDJ撰稿。)

花絮

Adam Engst在TidBITS#726中的报道covers fewer technical details than MDJ’s report (as befits the TidBITS readership), but is equally lucid.

判决:Mac用户应该知道的特洛伊木马的威胁。

有线新闻

Leander Kahney的初步报告是标题“Trojan Horse Attacks Mac OS X”This is so wrong, so sensational, as to defy belief.

To Kahney’s and Wired News’s credit, the initial report was later replaced by a new article, headlined“OS X特洛伊木马是一个纳格”, which corrected the original article and began by putting the situation in an accurate context:

Security experts on Friday slammed security firm Intego for exaggerating the threat of what the company identified as the first Trojan for Mac OS X.

(感谢MDJ找到初始有线新闻报道的工作链接。)

判决:The initial report was the most sensational and least accurate coverage I sawThey did the right thing by correcting themselves within a day, but that doesn’t excuse the utterly misleading initial report.

CNN

更新: Chris Nandor通过电子邮件发送信息CNN’s coveragewas even worse than Wired’s, and went uncorrected. Here’s the first sentence from CNN’s article:

The first Trojan horse virus to target Apple’s latest operating system was discovered this week, and it appears to prey on the popularity of Apple’s popular music service.

这是第一句话的错误:

  1. 这不是病毒。
  2. It doesn’t “target” Apple’s latest operating system — the same file works the same way on Mac OS 9.
  3. 这是CNN报道时的三周大。
  4. 这与“Apple的流行音乐服务”完全无关。

判决:剩下的句子没有任何好转。

每日Mac新闻网站的报道范围

MacFixIt完全拙劣its (non-bylined) report.MacNNMacCentralMacObserver,和MacMinuteall did nothing more than regurgitate bits from Intego’s inaccurate press release, and passed it along without the scrutiny it deserved.

链接不是报告。If these sites are news media, as they all claim to be, and not merely clearing houses for press releases, then they are obligated to investigate claims such as Intego’s before publishing themDoes this mean they might get scooped by less scrupulous “news” sites, which jump the gun to publish a sensational “Trojan horse scare for Mac OS X” story? SureBut credibility stems from accuracy, not immediacy.

The vast majority of the news blurbs published by these sites don’t demand investigationAn alleged security hole, however, is anything but a typical storyMacCentral’s Jim Dalrymple did contact Symantec for comment, but another vendor of commercial anti-virus/security software isn’t where you go to get unbiased analysis of a Trojan horse threatThese companies have a vested interest in convincing Mac users that they need anti-virus software.

The core of the story, missed by all of the above Mac news sites, is that Mac applications can have icons and file names that make them appear at a glance to be documentsYou don’t need anti-virus software to defend against this threat — you simply need to be careful that documents you download from untrusted sources are, in fact, documentsFinder可以告诉你这个。

这就是归结为Anyone who couldn’t smell the fishiness in Intego’s press release is unfit to write important Mac OS security stories无论谁没有smell the fishiness, but published Intego’s claims anyway, should be ashamed.

以前: 喜好
下一个: 如果它没有破灭