Mac users, beware — the ads you see on the Web could let hackers hijack your device.
Malwarebytes has discovered a new zero-day exploit in OS X that lets apps bypass passwords during installation to get root permission through a Unix shell.
A new adware installer downloaded by a Malwarebytes researcher modified his sudoers file — a hidden Unix file that controls access to root permissions.
The script exploited the DYLD_Print_To_File vulnerability publicized last month by German security researcher Stefan Esser.
Together with the disclosure, Esser posted a Trusted BSD kernel extension he wrote to protect against the vulnerability.
“Apple has not fixed [the vulnerability] yet,” said Thomas Reed, director of Mac offerings at Malwarebytes.
“I can’t say why not, but it does appear that they have known about the issue for some time,” he told TechNewsWorld. “Apparently, another researcher [with the Twitter handle ‘@beist’] alerted Apple prior to Esser’s release, but I’m unclear on the timing of that report.”
What the DYLD Exploit Does
The script exploiting the DYLD vulnerability is written to a file and then executed. It then deletes itself.
The script allows shell commands to be executed as root using sudo, without requiring a password, Malwarebytes found.
It then launches the VSInstaller app, which is in a hidden directory on the installer’s disk image, and gives it full root permissions. That lets the app install anything anywhere.
VSInstaller installs VSearch adware, as well as a variant of the Genieo adware and the MacKeeper junkware application. It then directs the user to the Download Shuttle app in the Mac App Store.
There is no good way for users to protect themselves short of installing Esser’s kernel extension, Malwarebytes said.
Apple Zips Its Lips
Apple came under fire from Esser, who claimed the company already had fixed the flaw in the newest version of OS X, El Capitan, which has been in public beta for several months.
Apple rolled out the third public beta last month and the fourth on Tuesday.
However, Esser’s assumption that Apple had fixed the flaw in El Capitan but decided not to fix it in the current version, OS X Yosemite, may be incorrect, Reed suggested.
“That just doesn’t seem reasonable to me,” he said, adding that Apple contacted him for more information “within a couple hours after my blog post was published.”
Apple did not respond to our request to comment for this story.
Bumbling Into a Hack
The people behind the DYLD exploit are “just adware vendors,” Reed said. They “tend to write careless, sloppy code, and haven’t showed any signs of being highly skilled.”
Reed criticized Esser for publicizing the flaw, reasoning that the hackers “would not have found a vulnerability like this on their own, in my opinion.”
Esser has his defenders. Commenting on the Malwarebytes blog post, “m4rkw” contended Esser only released the information to motivate Apple “to bother fixing a bug that they apparently going to bother with … leaving millions of users vulnerable to what is quite a trivial exploit.” Further, Esser provided a fix.
Esser contends he did nothing wrong.
“Why should I?” he responded on his Twitter feed when someone asked why he didn’t notify Apple instead of publicizing the vulnerability on his blog.
Esser did not respond to our request to comment for this story.
Ads Are Dangerous
The DYLD exploit opens the door to malvertising — malicious ads created by hackers.
Yahoo was hit by a malvertising attack this past week — and it, Google, AOL, and various online ad distribution platforms have been used to distribute malvertisements for some time now.
“One successful penetration of an ad system leads to huge payoff in terms of the total number of victims who can be attacked via malicious ads,” said Lane Thames, security research and software development engineer of Tripwire.
“If large-scale malvertising campaigns … continue,” he told TechNewsWorld, “consumers will lose more trust in these ad services, which can ultimately lead to financial losses for the ad organizations.”