Check that authentication dialog!

Stephen Withers
Wednesday, 11 February 2009 06:10

Opinion and Analysis

This trick isn't merely of academic interest - Pesoli went down this track after discovering that the recent Iservice (iWork Service) malware calls on the authorisation mechanism.

"The author of OSX.Iservice.B didn't go this far in that implementation, but the fact that the program already uses Authorization Services could mean he or she is already headed down this path," he noted.

So what's Symantec's recommendation? Cynical readers may be surprised, but there's no mention of running security software and keeping it up to date.

Instead, "From now on, we advise that Mac OS X users don't rely simply on familiar icons or messages from the authentication dialog box, but take an extra little step in order to verify the execution path of the program that is asking for the password. Furthermore, if we are prompted for a password by any Apple/clean/trusted application when we're not really expecting it, checking for any suspicious running processes would certainly help."

Mac malware seems to be on the increase, but it seems to rely on social engineering rather than silently exploiting underlying vulnerabilities.

Pesoli has shown how easy it is for the bad guys to incorporate real authentication dialogs to trick the unwary into granting rights to malware, so his call for extra care seems well-founded.

Fortunately, authentication dialogs don't normally appear very often, so there's no excuse for not stopping and thinking before you click OK.