OS X privilege escalation exploit makes for silent-killer malware

— 8:37 AM on August 4, 2015

A zero-day vulnerability in OS X Yosemite has been exploited in the wild, and it's a doozy. According to Malwarebytes, a script that exploits the vulnerability can give a user root privileges without the need for a password prompt, which then allows malware running under that user's account to do untold harm to a vulnerable Mac.

OS X (as well as other *nix operating systems) maintains a list of users who can access root privileges, called sudoers. The script in question uses the vulnerability, called DYLD_PRINT_TO_FILE, to modify the sudoers file to grant those users root permissions without being prompted for a password. Once the script modifies the sudoers list, it's free to do whatever root-level actions sudoers allows without the victim seeing any password prompts.

Malwarebytes researcher Adam Thomas found that this issue is being exploited in the wild. An app called VSInstaller uses the vulnerability to make the required modifications to sudoers before installing one or more potentially-unwanted programs without any prompts. To cover its tracks, the script then deletes itself and performs an innocuous action, like opening the page for an unrelated app on the Mac App Store. 

Stefan Esser, the iOS-jailbreak developer known as i0n1c, blogged about the exploit without notifying Apple. Fortunately, a separate researcher had already discovered the issue and notified Apple, so the Mac maker wasn't caught completely by surprise. Esser has provided a fix of his own, but Malwarebytes seems skeptical of both the update and Esser's motives.

Apple has not yet patched the vulnerability. Hopefully, with adware exploiting this hole in the wild, the company will move to squash it quickly. 

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.