An unpatched local privilege escalation vulnerability in Apple’s OS X operating system has been exploited by malicious actors to install adware and other suspicious applications on vulnerable computers.
The details of the security hole were disclosed two weeks ago by German researcher Stefan Esser. The expert had not notified Apple before making his findings public, but the company was aware of the issue because it was previously reported several months ago by the South Korean researcher known as “beist.”
Apple fixed the flaw in the beta versions of OS X El Capitan 10.11, but not in the current releases.
Researchers at antivirus firm Malwarebytes discovered an attack leveraging the vulnerability while analyzing a new adware installer. The attackers have been exploiting the flaw to modify “sudoers,” a hidden UNIX file that lists users authorized to run certain commands as other users.
By modifying the “sudoers” file, the attackers can execute their installer with root permissions without requiring victims to enter their password. The installer, named “VSInstaller,” is used to install the VSearch adware, the Genieo adware, and the controversial MacKeeper software.
Once this is done, the installer directs users to the Apple App Store page of the Download Shuttle file downloader app.
“Hopefully, this discovery will spur Apple to fix the issue more quickly,” Malwarebytes researchers said in a blog post.
The local privilege escalation vulnerability disclosed by Esser is related to DYLD_PRINT_TO_FILE, an environment variable that enables error logging to arbitrary files. The feature was introduced by Apple in OS X 10.10.
“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system,” Esser explained.
“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x,” Esser added.
The researcher has advised OS X users to install his SUIDGuard tool to protect themselves against potential attacks.

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
- Microsoft Adding New Security Features to Windows 11
- Sony Investigating After Hackers Offer to Sell Stolen Data
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
Latest News
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Government Shutdown Could Bench 80% of CISA Staff
- Moving From Qualitative to Quantitative Cyber Risk Modeling
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
- Sysdig Launches Realtime Attack Graph for Cloud Environments
