Share This article

Roughly two weeks ago, German security researcher Stefan Esser published details of a zero-day vulnerability in OS X. The problem, according to Esser, is that Apple introduced a new capability (via the DYLD_PRINT_TO_FILE command) to write to an arbitrary log file to any specific file that the user wanted. Unfortunately, Apple didn’t properly secure the function. Esser writes that Apple mistakenly added the new functionality directly to the _main function of dyld. He goes on to say:

“Because of this oversight dyld will accept DYLD_PRINT_TO_FILE even for restricted binaries, like SUID root binaries. This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not openes [sic] with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege escalation.”

DYLD exploit code

That was two weeks ago. Today, Malwarebytes published a blog post claiming to have detected the issue in real malware. Specifically, the new module allowed an application to gain root permissions via a Unix shell, all without ever needing a password. That’s the kind of hack that could cripple deployed systems, and the code that Malwarebytes detected is specifically designed to delete itself after running. The change in question allows for commands to be executed as root using sudo, with no password requirement at all.

Privilege escalation bugs are some of the worst for end-users, as they can allow individuals accessing a machine remotely to launch attacks that wouldn’t normally be possible without direct access to the machine. While this bug is present in all versions of 10.10.4 and earlier betas of 10.10.5, Esser reports that later beta revisions of Mac OS X have apparently closed the security hole. Mac OS X 10.11 beta also isn’t impacted. If you aren’t into running beta software, however, neither of these options is going to work for you.

Ars Technica reports that Esser has created his own fix, available here, but some people may not be willing to install a patch written by a third party rather than sanctioned by Apple itself. Right now, users have only a handful of options to actually solve the problem and, as Malwarebytes reports, the exploit is significant. The malware package they tracked was capable of installing malware applications with full root permissions. In addition to VSearch, the MBAM team tracked installs of Genieo adware, MacKeeper junkware, and a download accelerator, dubbed Download Shuttle.

For years, Mac aficionados claimed that superior engineering kept the Mac free from viruses, while Windows users and sympathetic pundits claimed that it was the operating system’s relative obscurity that actually kept it safe. I’ve no intent of charging in where angels fear to tread, but it does seem true that increased visibility of the OS X platform has led to an increased number of hackers looking for problems and avenues to exploit.