nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Mac fans! Don't run any old guff from the web: Malware spotted exploiting OS X root bug

Dodgy apps use hole in Yosemite to inject adware

By Chris Williams, 4 Aug 2015

The amusing vulnerability in Apple's OS X that grants administrator-level access to anyone who asks is being exploited in the wild by malware. Yeah, malware exists for Macs, this isn't the 1990s.

Anyone logged in to a vulnerable OS X computer, or any software running on it, can use the security hole to gain the same privileges as the powerful root user, meaning they can install new programs, change files, remove or add new users, wreck the system, and so on, at will.

According to Adam Thomas of Malwarebytes, dodgy software distributed on the internet is now exploiting the vulnerability to inject the VSearch and Genieo adware plus the MacKeeper junkware on to Macs, and point users at an app to download from the official App Store.

Victims first have to be tricked into downloading and opening a disk image file, running the installer app inside, and clicking through OS X's are-you-sure-you-want-to-run-untrusted-things-from-the-internet warnings. Then the software uses the escalation-of-privilege bug to silently install adware and other junk.

(Running malicious on your Mac is bad enough, by the way, let alone code that snatches root access. The adware needs the root privileges to install itself so that it runs during startup, and so on.)

"The user has to download it," Thomas Reed, director of Mac Offerings at Malwarebytes, told The Register on Tuesday.

"It comes in the form of an installer on a disk image (.dmg) file, like most of the adware out there for the Mac. The user is tricked into downloading it from somewhere, then must manually open the disk image and then open the installer.

"Once the installer (which is really just an app, not actually an Apple installer package) opens, it executes the exploit code in a Unix shell, giving another app hidden on the disk image full root privileges, which it uses to install the payload."

The exploited security flaw is present in all publicly available versions of OS X 10.10, aka Yosemite – the latest official version. It has been fixed in OS X 10.11 (El Capitan), which is available as a public beta, and OS X 10.10.5 Beta 2, which is available to developers.

Exploiting the bug involves abusing the new environment variable DYLD_PRINT_TO_FILE to overwrite the file that contains the list of users allowed to gain root-level permissions. This file can be modified to allow the logged-in user to gain these administrator powers without needing to type in a password, and thus allowing any software running to snatch these powers without permission, too.

Vulnerable fans can either sit tight and hope they don't run any dodgy software that exploits the bug, upgrade to a fixed build of the operating system, or install Stefan Esser's SUIDGuard mitigation tool. Esser revealed details of the flaw late last month.

"Hopefully, this discovery will spur Apple to fix the issue more quickly," added Malwarebytes' Reed. With the fix in the beta stage, we assume it will be along soon, right Apple? ®

The Register - Independent news and views for the tech community. Part of Situation Publishing