Just wondering, how many of you here work in with IT security on a daily basis. By that I mean work with AV companies, US-Cert, or equivalent entities that deal with malicious code or network analysis on a global scale?
I would like to say everything I've read about this Mac exploit is legitimate, and is very consistent with how malicious code is introduced to systems. I had the opportunity to attend Dino Dai Zovi briefing at 2006 Black Hat Vegas. This was before he took the 10K from CanSecWest in 2007. These people are no joke, and the stuff they write deserves more respect than the pettily crap I'm reading in this forum. The hype your reading is the media making it out to be something glamours, which in it's own right is.
On to delivery: Malicious binaries can be delivered several ways. One method is to embedded it within a file (document, image, pdf, flash, etc..). Once the file is opened the binary is executed. The delivery can be something as simple as a download, file share, or an attachment in an email. The second and probably the most popular method consists of crafted malicious code that's called upon from web browsers. Usually via obfuscated IDS evading Javascript or iFrame exploitation methods, which is executed within the browsers cache or temp directories. Persistent code can and will run without use acknowledgment if it's written properly. If the developer can get it to run as the system/adm/root level the OS would likely never ask for a authentication to run - assuming it's a legit file. The malicious code probably was imbedded in Javascript or an iFrame, which was launched as soon as the OP visited the URL. In the real world people don't know what sites are malicious, but for the purpose of replicating the real "ignorant" world there must be some compromise during these kinds of demonstrations. The OP probably had to play ignorant, and pretend to stumble on a site that was infected only after being tipped. They probably knew this at the start. Most forensic and security analysts know this since it's a popular method of delivery and it happens everyday to thousands of people on PC's. So... Why would this be any different for Mac OS X? It wouldn't... As for AV, most the time AV stops these kinds attacks, but it important to know AV's are only as good as the signatures that's written for them.
-Jay