Apple Computer Inc. responded on Friday to an advisory issued by security software-maker Intego on Thursday. Apple said they were aware of the issue outlined by Intego and that they were investigating. While one security analyst doesn’t feel this is a very big deal, he does note that this incident gives absolute proof of the vulnerability.
“We are aware of the potential issue identified by Intego and are working proactively to investigate it,” said Apple in a statement given to MacCentral. “While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities.”
In the advisory issued yesterday, Intego said a Trojan horse called MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files, according to the company.
The release of the Trojan Horse, which has been classified by some as more of a proof-of-concept rather than a real Trojan Horse, may be the result of Apple’s own success in marketing its operating system. As Mac OS X becomes more popular in the market, virus writers will receive more notoriety for exposing vulnerabilities.
“This is something you have to expect as an operating system gets a higher profile,” Ray Wagner, Research Director, Information Security Strategies at Gartner Research, told MacCentral. “I don’t think virus writers were ever thinking they could not write a virus for Mac OS X, I just don’t think they were interested in the lower profile systems.”
In a note posted to their Web site on Friday, Intego defended releasing the Trojan Horse information yesterday.
“The exploit that it uses is both insidious and dangerous and it is our duty as a vendor of Macintosh security solutions to protect our users,” says the note on Intego.com. “We don’t believe in waiting until the damage occurs, unlike some of our competitors.”
While the Trojan Horse itself may be benign, exposing the vulnerability is significant.
“This certainly gives absolute proof that there are vulnerabilities in Mac OS X,” said Wagner. “In this case it’s relatively high-profile because of the use of MP3, but this does not appear to be a terribly big deal.”
Symantec Corp. told MacCentral on Friday that they were aware of the Trojan, but noted that the virus has not been found in the “wild.” Symantec also provided a screenshot of what happens when the Trojan Horse is executed.
“Discovered on March 20, MP3Concept (MP3Virus.Gen) is a Trojan that imbeds mp3 data in an application,” said Symantec in a statement to MacCentral. “Once the file is executed, the Trojan executes and displays the following message, ‘Yep, this is an application. So what is your iTunes playing right now?’ After displaying the message, the program launches iTunes and plays the mp3 file.”
Symantec noted that the Trojan would only execute if opened as an attachment, but not if it was played through iTunes. “This Trojan does not contain any malicious code. MP3Concept is a proof-of-concept Trojan and is not currently seen ‘in the wild’ — it is not spreading and infecting Mac users,” said Symantec.
Symantec said they would release an updated virus definition on Friday for the Trojan and would continue to monitor the situation for any unusual activities.
Update: This story has been updated with information from an interview with Ray Wagner and notes from the Intego Web site. Update 2: This story has been updated with the information from Symantec Corp.