Anonymous Blogger Claims Proof-Of-Concept Attack For Mac Worm

McAfee researchers are keeping a close eye on what could be proof-of-concept exploit code for a vulnerability in Apple's Mac OS X.

Dave Marcus, a security research manager for McAfee Avert Labs, told InformationWeek that they've been following blog entries on the Infosecsellout blog by an anonymous poster. The blogger, who claims he's a researcher, says he's being paid to create a Mac worm using the vulnerability, but he has no plans to release the code into the wild. He doesn't say who is paying for his research.

The bug he's working to exploit is the MDNSResponder vulnerability, which was patched in Apple's last security update.

"He walks the walk and kind of talks the talk, but whether anything will come of it is hard to tell," said Marcus. "I would take this seriously. ... It's hard to say if he's doing it for the good guys or the bad guys. For the most part, when someone says they've written proof of concept but they're not going to release it, it could mean they're making it up or they're doing work that could be very, very dangerous."

Researchers at SecurityFocus, calling the flaw a boundary condition error, said proof-of-concept code has been created. "Successfully exploiting this issue allows remote attackers to execute arbitrary machine code with super user privileges, facilitating the complete compromise of affected computers. Failed exploit attempts likely result in a denial-of-service condition," noted an advisory.

Marcus said it's obviously a plus that Apple already released a patch for the bug. The problem is that it sometimes takes weeks or months for individual users and companies to bring their software up to date.

"He may take the high road and not release it ... but certainly if he sells it, there's the issue of it getting out and someone else doing further work on it and it developing into a nasty piece of malware," he added.