Apple OS X zero-day flaw hands over root access without system passwords

A week after the disclosure of a zero-day vulnerability an active exploit has been spotted in the wild.
Written by Charlie Osborne, Contributing Writer
Roy Zipstein | Apple
A zero-day flaw which allows attackers to gain root access to Mac systems is now being exploited online.

Last month, security researcher Stefan Esser disclosed a privilege escalation vulnerability in OS X which impacts OS X 10.10.x by way of the dynamic linker dyld and environment variable DYLD_PRINT_TO_FILE features, newly added to the operating system.

It was unclear at the time whether Apple knew about the security flaw as the problem has been patched in the first beta versions of OS X El Capitan 10.11, but not in the current release of OS X 10.10.4 or in the current beta of OS X 10.10.5. While Esser did not inform Apple of the bug at the time of public disclosure, it is believed the iPad and iPhone maker may have known about the vulnerability through an earlier disclosure by another researcher.

Unfortunately, it seems the zero-day vulnerability is already being exploited in OS X.

Malwarebytes researcher Adam Thomas spotted the exploit after stumbling upon a new adware installer. During testing on an OS X machine, Thomas realized his sudoers file had been modified. The sudoers file is a hidden Unix file which decides who is permitted root permissions in a Unix shell, and how this is granted.

In this case, the vulnerability allowed the adware installer to gain root permissions via a Unix shell without requiring password permissions from an administrator.

The exploiting script which uses the DYLD_PRINT_TO_FILE vulnerability is written to a file, executed and then deleted. The script changes the nature of the sudoers file to allow shell commands to be executed as root without passwords before launching the VSInstaller app.

Granted full root permissions, the app -- found in a hidden directory on the adware installer's disk image -- is then able to download whatever it pleases.

According to the security team, VSInstaller app is responsible for installing VSearch adware, and will also install Genieo adware and the MacKeeper junkware.

Until a fix is issued, there is no way to protect yourself against these attacks beyond using a patch Esser himself created.

In related news, researchers Trammel Hudson and Xeno Kovah have demonstrated a proof-of-concept malware which targets Apple firmware. The ThunderStrike 2 malware begins with a local root privilege exploit and is able to reboot the motherboard boot flash and use the PCIe bus to spread to new systems.

ZDNet has reached out to Apple and will update if we hear back.

Top 5 security practices in staying safe online: From the experts

Read on: Top picks

In pictures:

Editorial standards