Zero-day exploit hits fully patched Macs

Security researchers have discovered a zero-day vulnerability that affects the latest, fully patched version of OS X. It is thought the flaw, affecting OS X 10.10.4, has already been used by hackers.

The problem lies with a new error-logging feature in OS X, which can be exploited by cyber-criminals to create files with root privileges onto a target Mac without requiring system passwords.

Researchers from Malwarebytes said that it had identified a malware installer in the wild that exploits the vulnerability.

Hackers can modify a sudoers file, this determines, among other things, who is allowed to get root permissions in a Unix shell, and how. 

“The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password,” said the researchers in a blog post.

“The script uses sudo's new password-free behaviour to launch the VSInstaller app, which is found in a hidden directory on the installer's disk image, giving it full root permissions, and thus the ability to install anything anywhere.”

By modifying the file, hackers can install adware like VSearch, Genieo package variations and MacKeeper.

The vulnerability exists in Apple's current OS X 10.10.4 and recent beta versions of OS X 10.10.5, but not early builds of OS X 10.11.

The researchers said that hopefully, “this discovery will spur Apple to fix the issue more quickly”.

The discovery of an exploit kit comes just a month after security researcher Stefan Esser published details and proof-of-concept code of a zero-day vulnerability in OS X Yosemite that could allow a hacker to quickly escalate their privileges, and take control over a Mac. The DYLD_PRINT_TO_FILE vulnerability is however, fixed in Yosemite's successor OS, El Capitan.

SektionEins, the security firm that Esser works for, has released a kernel extension called SUIDGuard that protects computers from the threat.

Principal consultant at Context Information Security, Nick Mazitelli, told that more malware of this kind would “almost certainly" appear on OS X.

“Coding errors leading to security vulnerabilities are an unavoidable part of software development, for any and all vendors. While secure development practices might go a long way to reducing the incidence of these sorts of vulnerabilities they will never be eradicated completely,” he said.

“While Mac OSX has historically been less targeted - arguably benefiting from a relative level of obscurity - there is an increasing trend for attackers to look beyond the traditional hunting ground of Windows. As such it is likely that non-Windows operating systems will continue to see an increase in malicious activity directed towards them.”

Mazitelli said that good security practice practice remains the same regardless of the operating system involved.

“Basic security 'hygiene' including ensuring regular and prompt application of operating system and application updates; minimisation of the attack surface through removing unnecessary or high risk applications (eg Java, flash); installation of basic security software (ie antivirus); and some user awareness of secure practices and behaviours in regard to email and internet usage goes a long way to mitigating this or any security vulnerability. And just to be sure, good backups of crucial data never hurt either.”

TK Keanini, CTO at Lancope, told that the only fix is to apply the vendor patch.

“This is an escalation of privilege so the attacker first needs an account, any account before they can escalate it to the super user. This is why it is dangerous to have a weak password on an account on your machine because once identified, it can be used to escalate to the root user and once root, game over,” he said.

“The exploit mentioned installs malware but given the level of access, it could perform any other action the attacker wishes. If left exploitable, this attack vector could be used for ransomware or any other of the attackers objectives.”

“The exploit is extremely effective and attackers will be adding it to their playbook.  Don't be surprised if your OSX machine is compromised at the Blackhat/Defcon show this week by this vulnerability. Patch it or leave your laptop at home,” warned Keanini.

This story originally appeared in

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.