Potential ID3 Tag Vulnerability MP3Concept

Intego, makers of a Macintosh OS X anti-virus product called Virus Barrier, yesterday announced that they’d “discovered” a Mac Trojan horse. I, like Dori, am a little suspicious. For one thing, the language of the announcement was odd; for another, no other anti virus company has reported it even today, and for a third, I work at a large very wired campus, with thousands of MP3 loving undergraduates and haven’t seen a sign of MP3Concept. Neither have any of my peers who work in IT at other campuses, and I’ve now emailed and heard back from 38 support and network administration sorts of people from all over the world, none of whom have seen MP3Concept in the wild. Since a large number of campus and institutional networks deliberately block MP3 transfer by email, I would have expected at least one to have seen it.

The idea of exploiting ID3 tags, or other sorts of meta data for less than honorable purposes is not new. I remember hearing people talk about it two years ago at QuickTime Live. There’s an explanation of the method behind MP3Concept here. Thanks to Derek, and MacNet Journal, I now remember reading this UseNet post describing just such a vulnerability. But given that no one seems to have seen the “Trojan horse” in the wild, I suspect that this Intego’s announcement reflects a vulnerability, rather than an actual Trojan. That said, I would like to remind people that an evil application masquerading as data is a Trojan horse, and not a virus, though a Trojan horse may also carry a virus payload. This thing, if it exists, would be a Trojan horse.

Update: MacCentral has a response from Apple that “We are aware of the potential issue identified by Intego and are working proactively to investigate it,” which is pretty much what I’d expect. I have no doubt that there are other vulnerabilities in OS X; such is the nature of operating systems, and of users. But I also suspect Apple will respond to them. I think Intego’s defense for inappropriately releasing the vulnerability to the press reflects poorly on their ethics. I will certainly continue to suggest that institutional purchasers I advise stay away from Intego.

This Wired (12:44 PM Apr. 09, 2004 PT) article has useful updated information about Intego’s claims; the Trojan does not exist in the wild, and the test version did not have a viral payload. I am astonished, and disgusted by Intego’s inappropriate and unprofessional behavior.