I don't understand this story. AFAICR, any software package I've installed using OS X's Installer.app has required me to authenticate with an adminstrator pasword even when I am logged into an adminstrator account.
Not all of them. The ones that come from Apple do, but it's just a checkbox in PackageMaker. See figure 2-3 in the
PackageMaker User Guide.
But an intruder doesn't need to use Apple's System Installer. They can install files directly, anywhere they have write access. That's why I've always advised doing your normal web browsing from a non-admin account. That doesn't make you completely safe (since they still have write access to almost your entire home folder), but it does limit the scope of what they can do.
And I've also advised that merely creating a new admin account and demoting your old account to Standard (i.e., non-admin) isn't usually enough. Many applications that you installed while you were still admin are owned by you, and you retain write permission to them, so malware running as you can still infect them with viruses.
Thus you need to at least revoke your ownership of everything inside /Applications (and probably /Library also). Do it from Terminal; Finder should not be trusted to handle permissions. Finder should not even be trusted to tell you what permissions you have. (Finder doesn't even mention the execute bits, ignores most ACLs, and only paraphrases the ones it does tell you about. It also will not normally tell you anything at all about the files inside application packages, nor let you adjust their permissions.)
For example, suppose you have a user named "you". "you" used to be an admin, but no longer. When "you" were an admin, you installed the SurfWriter application by drag-copying it from a disk image into /Applications. Here's what that application looks like.
drwxrwxr-x+ root admin /Applications
drwxr-xr-x- you admin Surfwriter.app
drwxr-xr-x- you admin Contents
-rwxr--r--- you admin Info.plist
drwxr-xr-x- you admin MacOS
-rwxr-xr-x- you admin SurfWriter
drwxr-xr-x- you admin Resources
-rwxr-?r-?- you admin ... lots of other stuff ...
/Applications/SurfWriter.app/Contents/MacOS/Surfwriter is the actual executable. The system knows it's the actual executable because the Info.plist says so. The execute bits inside the Resources subdirectory will be set or cleared at the whim of the vendor. (If the vendor set permissions using Finder, there'll be way too many execute bits. Even Apple software comes with execute bits set on non-executable files.)
Suppose you downgrade "you" to a Standard account, and even use Finder to make it read-only, and changed the owner to "boss" (your new admin account). Finder will change the permissions to
drwxrwxr-x+ root admin /Applications
dr-xr-xr-x- boss admin Surfwriter.app
drwxr-xr-x- you admin Contents
-rwxr--r--- you admin Info.plist
drwxr-xr-x- you admin MacOS
-rwxr-xr-x- you admin SurfWriter
drwxr-xr-x- you admin Resources
-rwxr-?r-?- you admin ... lots of other stuff ...
In other words, Finder changes the permissions only on the package folder /Applications/SurfWriter.app itself, not its contents. (And it's been many releases since Finder would even let you change the owner.)
Since you still have write permission on /Applications/SurfWriter.app/Contents/MacOS, any malware running as you is free to do any of the following:
- Overwrite the SurfWriter executable, to replace it with a virus or to add a virus to it.
- Install a virus as a separate file inside MacOS, and modify Info.plist (assuming you still have write access) to mark that as the main executable. The virus can do its deed, and then fork/exec the real executable so the user is blithely unaware that anything has changed.
- If it can't modify Info.plist, it can still rename the SurfWriter executable to "SurfWriter " (appending a space), and install the virus under the old SurfWriter name. The virus operates as before, except that after the fork/exec it'll show up in Activity Monitor under the new name. It would take a very astute observer to notice the extra space.
The virus installer just scans your /Applications folder, looking for any application where it has write permission to the MacOS subfolder. (It always has read/execute access, or the application would be un-launchable.)
The installed virus can wait until the day some admin launches SurfWriter, at which time it can spread to any application whose MacOS folder is admin-writeable (i.e, a whole lot of apps). The safest applications are the ones that are writeable only by root. Apple installs most but not all of their apps this way. (FaceTime and iTunes, to name just two, are admin-writeable. Fortunately, they're code-signed.) Writeable by only root and/or admin is the bare minimum you should insist on for all applications.
But even running as non-admin doesn't make you completely safe. The virus installer could copy applications whole from /Applications into a hidden folder in your home folder (or in /Users/Shared). The copy would be writeable, and all the same tricks would apply. The remaining step is to modify the user-specific copy of the Launch Services database to make the copied app the designated opener of assorted document types. It does make you safer, though. Only that user is infected, and there's no mechanism for spreading the infection to other user accounts. The virus could occasionally phone home checking for updates, so it could rapidly exploit new weaknesses as they're discovered.
The attacker's main hurdle is getting that first piece of chosen code to run on your machine. To do that, he has to either exploit a security hole in your browser or one of its plugins (I'm looking at you, Adobe), or download a malicious file to your computer and trick you into opening it.
Only the clumsiest attacker has ever needed a password.
The weak link in security is, and always has been, the user. As long as humans operate computers, no amount of software can make the computers unhackable.
Agreed.