An exploit present in OS X 10.10 allows the bad guys to install adware and malware onto a Mac without the need for system passwords.
Discovered by Malwarebytes, the malware installer takes advantage of new error logging features introduced in the latest version of OS X, reports Ars Technica.
The installer reportedly gains root level permissions by modifying the OS X sudoers configuration file, leaving it vulnerable to installation of malware and adware.
Malwarebytes:
As can be seen from the code snippet shown here, the script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed. Part of the script involves deleting itself when it’s finished.
The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.
Then the script uses sudo’s new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer’s disk image, giving it full root permissions, and thus the ability to install anything anywhere. (This app is responsible for installing the VSearch adware.)
The bug was discovered by researcher Stefan Esser last week, he says developers failed to use standard security protocols OS X dynamic linker dyld. Esser reports the vulnerability is present in OS X 10.10.4, and the recent beta versions of OS X 10.10.5. He reports it is not present in early builds of OS X 10.11 El Capitan.
This exploit news follows on the heels of a proof-of-concept worm called Thunderstrike 2, which can affect both Mac and PC hardware. The attack targets option ROM on peripherals, allowing it to be spread simply by connecting an infected peripheral to a Mac or PC.