- Joined
- Aug 15, 2006
- Messages
- 483
- Reaction score
- 13
- Points
- 18
- Location
- Abu Dhabi, United Arab Emirates
Apple has yet to provide a fix for the DMG bug though a workaround is known which should stop computers falling victim.
That wouldn't be a wise thing to do... in fact, it would be a little silly IMO.interesting, ill stay away from .dmg
The second-most important line is this:Article said:The bug has only been proved to work under laboratory conditions. No cases of it being exploited in the wild are known and no users are thought to be at risk.
The bolded suggestions should be more or less common sense, anyway.:black:Article said:It urged users to avoid downloading DMG files, which bear a .dmg suffix, from unknown sources.
That wouldn't be a wise thing to do... in fact, it would be a little silly IMO.
As was stated, the vast majority of downloadable software (shareware, freeware) for Mac OS comes in the .dmg format.
The article never elaborates on what this "code bug" is or does, nor does it describe what a "vulnerable" machine entails. It really doesn't say much of anything, really.
The most important line of the article I find is this:The second-most important line is this:The bolded suggestions should be more or less common sense, anyway.:black:
I like the replies so far, I don't think there is any need for panic.
1stly, a whole bunch of stuff as to happen before there is any serious risk. You have to download a .dmg from an untrustworthy source. Then after executing it and mounting the new files, your machine is potentially vulnerable or unstable. So between you executing the .dmg and any restart someone has to attack your machine, meaning getting around your firewall, knowing your IP address etc.
Hmmm... how sure of this are you? It sounds to me from the article, that what they are referring to is a buffer overrun style attack, possibly in expanding (if that's what it does) or mounting the dmg file. A cleverly coded buffer overrun can result in pre-defined code being executed directly without any further interaction being required.
You are implying that mounting a dmg could cause some kind of server to be temporarily installed and require someone to actively try to contact you at that moment. If a hacker can manage to run up a piece of code to do this, they can certainly manage to do a bit more than that!
However, it would require a privilege escalation style attack before I'd be overly concerned about it and I don't know of any way of escalating privileges myself under OS X (although my knowledge is not comprehensive enough to state this categorically...)
And therein lies one of the major advantages of OS X over Windows, in OS X you don't run as root so malicious code can't easily do much system-level harm without you authorizing it.