An unpatched local privilege escalation vulnerability in Apple’s OS X operating system has been exploited by malicious actors to install adware and other suspicious applications on vulnerable computers.
The details of the security hole were disclosed two weeks ago by German researcher Stefan Esser. The expert had not notified Apple before making his findings public, but the company was aware of the issue because it was previously reported several months ago by the South Korean researcher known as “beist.”
Apple fixed the flaw in the beta versions of OS X El Capitan 10.11, but not in the current releases.
Researchers at antivirus firm Malwarebytes discovered an attack leveraging the vulnerability while analyzing a new adware installer. The attackers have been exploiting the flaw to modify “sudoers,” a hidden UNIX file that lists users authorized to run certain commands as other users.
By modifying the “sudoers” file, the attackers can execute their installer with root permissions without requiring victims to enter their password. The installer, named “VSInstaller,” is used to install the VSearch adware, the Genieo adware, and the controversial MacKeeper software.
Once this is done, the installer directs users to the Apple App Store page of the Download Shuttle file downloader app.
“Hopefully, this discovery will spur Apple to fix the issue more quickly,” Malwarebytes researchers said in a blog post.
The local privilege escalation vulnerability disclosed by Esser is related to DYLD_PRINT_TO_FILE, an environment variable that enables error logging to arbitrary files. The feature was introduced by Apple in OS X 10.10.
“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system,” Esser explained.
“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x,” Esser added.
The researcher has advised OS X users to install his SUIDGuard tool to protect themselves against potential attacks.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
