Hackers exploit OS X zero-day vulnerability

Hackers have been taking advantage of a serious zero-day vulnerability in the latest version of Apple’s OS X (Yosemite), allowing them to install malware and adware on Macs without the need of a password or administrative privileges.

Malwarebytes reported yesterday (Monday 3rd August) that one of its experts had found the first known exploit of this flaw, which was first identified by SektionEins’ Stefan Esser last month.

Adam Thomas, a threat researcher at Malwarebytes, uncovered the malicious installer while running tests on an OS X machine. Here he found something peculiar – his sudoers file had been modified without permission.

“For those who don’t know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how,” the website explained.

“The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.”

The exploit, which is referred to as DYLD_PRINT_TO_FILE, allows hackers to covertly infect Macs with adware like VSearch and junkware like MacKeeper.

According to Mr Esser, the zero-day vulnerability can be found in the current 10.10.4 version of OS X, as well as its most recent beta version 10.10.5.

Interestingly, the security flaw has not been spotted in the latest beta versions of OS X El Capitan. However, the tech giant has yet to officially comment on the matter.

“At ESET we have been seen some files exploiting this vulnerability in the wild, which are detected as OSX/Adware.VSearch.F,” commented Raphael Labaca Castro, ESET security researcher.

“Even though this signature created in December 2014, we recommend users keep their security solution updated to protect against any new threats that might appear. It will also alert them to upcoming OS updates.”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s