Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Zero-Day Vulnerability in OS X Exploited in the Wild

An unpatched local privilege escalation vulnerability in Apple’s OS X operating system has been exploited by malicious actors to install adware and other suspicious applications on vulnerable computers.

An unpatched local privilege escalation vulnerability in Apple’s OS X operating system has been exploited by malicious actors to install adware and other suspicious applications on vulnerable computers.

The details of the security hole were disclosed two weeks ago by German researcher Stefan Esser. The expert had not notified Apple before making his findings public, but the company was aware of the issue because it was previously reported several months ago by the South Korean researcher known as “beist.”

Apple fixed the flaw in the beta versions of OS X El Capitan 10.11, but not in the current releases.

Researchers at antivirus firm Malwarebytes discovered an attack leveraging the vulnerability while analyzing a new adware installer. The attackers have been exploiting the flaw to modify “sudoers,” a hidden UNIX file that lists users authorized to run certain commands as other users.

By modifying the “sudoers” file, the attackers can execute their installer with root permissions without requiring victims to enter their password. The installer, named “VSInstaller,” is used to install the VSearch adware, the Genieo adware, and the controversial MacKeeper software.

Once this is done, the installer directs users to the Apple App Store page of the Download Shuttle file downloader app.

“Hopefully, this discovery will spur Apple to fix the issue more quickly,” Malwarebytes researchers said in a blog post.

The local privilege escalation vulnerability disclosed by Esser is related to DYLD_PRINT_TO_FILE, an environment variable that enables error logging to arbitrary files. The feature was introduced by Apple in OS X 10.10.

Advertisement. Scroll to continue reading.

“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system,” Esser explained.

“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x,” Esser added.

The researcher has advised OS X users to install his SUIDGuard tool to protect themselves against potential attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.