The latest version of OS X includes a new bug that is being exploited by hackers. The bug enables hackers to install malware on a Mac, even without a password.
The cause for this bug is due to a new feature in OS X that logs errors, which was recently discovered to be highly exploitable by hackers. With the error log vulnerability, hackers are able to create files with root privileges anywhere on OS X.
Anti-malware firm Malwarebytes elaborated on the malicious installer’s threat: “The sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.”
As the bug is on the current, fully patched 10.10.4 version of OS X, there are many users who could be negatively impacted. However, the bug is not in a beta release of 10.11, which suggests that Apple was aware of the problem and were working to fix it.
Malwarebytes’ Adam Thomas was able to bring the bug to the public’s attention after discovering the adware installer, which caught his attention especially after he noticed that his subdoers file had been modified.
How the Malware Operates
Dubbed DYLD_PRINT_TO_FILE due to its exploitation of the infected command, the malware’s potential to issue commands and control the passwords needed to issue those commands makes vulnerable Macs an access point for adware, which hackers can easily implement with the bug. The flaw has already been patched in both the OS X 10.11 El Capitan beta and in the OS X 10.10.5 beta, the former of which is not out until this fall.
The infecting command will look something like this in a user’s subdoers file:
echo ‘echo “$(whoami) ALL=(ALL) NOPASSWD:ALL” >&3′ | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
Now that the issue is a major talking point in the tech community, Apple didn’t waste any time in revoking the malware’s certificate.
This means that Gatekeeper, Apple’s service that blocks untrusted programs, will prevent it from launching. Gatekeeper is similar to a digital security system of sorts. Apple is also updating OS X’s anti-malware definitions, so the malware will be rejected in the future upon external installation attempts.
Gatekeeper’s ability to revoke the certificates is important in bugs like these and many others, since it makes using a Mac much safer while Apple works to address the bug entirely with a patch. In the future, with the release of OS X El Capitan, System Integrity Protection represents the next wave of certificate protection by even more effectively limiting harm. In addition, Apple encourages customers to use the Mac Apple Store as a source for apps, since every app on the store is pre-checked for any viruses or vulnerabilities.
Do You Need to Worry?
If you’re running OS X 10.10.4, DYLD_PRINT_TO_FILE is still a concern, though not as much as you may think.
Apple removed much of the threat by revoking the malware’s certificate, though a full patch will still be needed to remedy it entirely. Patches for malware are very complex to build and take time, but it’s expected to be available shortly.
Although users shouldn’t be terribly worried about this bug, since it is has been properly identified, this OS X flaw should at least raise users’ attention about being cautious when downloading software via suspicious websites or email.
The next iteration of DYLD_PRINT_TO_FILE may unfortunately be only one install away, so always exercise caution when downloading software.
Image by Barn Images