Adam Knight of Mac Geekery has written a detailed article describing several security issues in the current Installer mechanism. The basic upthrust of the article is that it’s possible when running an installer package as an administrator, your machine can get owned. Without a password.
It’s a really big problem. I count on installer packages being required to prompt me for a password in order to do anything as root. There’s no guarantee a malicious package couldn’t implant itself, even going so far as installing a rootkit. The good news is that there is an easy solution. Don’t run as admin. Run as a normal user. Also, don’t run stuff from untrusted sources. At this point, this should go without saying, but when people are still getting bitten by a really weakly disguised Trojan that’s given Word’s icon and name, I know people need reminders.
Then again, if you’re trying to steal software off P2P services, I consider it karma anyway.
[via Jon Rentzsch]
