A vulnerability exists in OS X where an attacker can take advantage of a routine that is generally intended for logging, and overwrite system files. In doing so, the attacker can modify the system to allow bypassing of OS X’s security measures and give full “root” access to malware installers. The result of this is further modification to an affected Mac can be performed without any indication or authentication requirement.
The exploit uses an environmental variable in OS X called “DYLD_PRINT_TO_FILE” which allows a program to redirect error messages to a specific file, instead of to the systems standard error stream. By default, the standard error stream (stderr) allows error messages to be logged and otherwise handled by official system services, but if a developer wishes, this variable allows for alternative handling and logging. Unfortunately, a bug exists in this routine, such that if an existing file is specified, then the system will overwrite its contents.
When the attack is done, the malware can then modify any file and install any additional program it chooses. Currently, malware exploiting this vulnerability have been found by MalwareBytes, which use it for installing MacKeeper, VSearch, and Genieo, which are commonly unwanted third-party software programs that are often referred to as adware and junkware.
To check a system’s “sudoers” file, open the OS X Terminal and run the following command:
sudo cat /etc/sudoers
By running this command you have two modes for identifying this exploit. By default, this command will require you supply your password from an administrative account, so if it runs without you supplying this password, then something is wrong. Next, in the output of this command, check all of the lines that do not begin with a hash mark (#). This mark means these lines are not used, so the mark being absent means the line is active. For active (un-hashed) lines, if any contain the word NOPASSWD, then the file has been modified to allow root access without a password.
Unfortunately all current versions of OS X are vulnerable to this exploit, so it will take an update from Apple to supply a fix. However, while this may be concerning, do keep in mind that this exploit does require you download and run a nefarious malware installer. Currently no programs can automatically download and run on your Mac without you purposefully launching them, so your best bet at being safe is to simply monitor what programs you run. If you do not know where a program came from, then delete it and re-download it, or at least investigate it and confirm you know what it is before you run it. Some examples of suspicious downloads include:
- E-mail attachments recommending you open a program or link, especially from strange sources
- Any automatic download in your Web browser that you did not specifically click to perform
- Any program from Web sites that offer free software and services
- Any sites that issue persistent warnings about the security of your computer
- Any sites that appear to “lock” your computer and then require you call a support number to unlock the system.
Via: MalwareBytes (Thomas Reed)
So, how does it infect Macs? Is a password granting access required?
If you read the article you’ll find a detailed explanation of how this exploit works. Try it, you’ll like it. 😉
Thanks for the article Mr. Kessler. This thing is spread the old fashion way by tricking the user into installing it. The big difference is that it doesn’t need an admin password to do its thing. Good advice at the end too about watching what you click on.
ArsTechnica’s coverage says this only affects 10.10 (Yosemite) and that there’s a non-Apple patch to prevent the attack. FWIW.
I think you can prevent the attack by just paying attention to what you click on.
@ lkrupp215: Right. And who does that, or can do that, all the time? If everybody did, or everybody could, there would be no such thing as malware. That’s why they call this stuff human engineering now. It depends on human fallibility for its success, a universal condition from which there is no escape – for anyone – this side of the grave.
Does this mean that MacKeeper is indeed malware? I’ve always heard that is just relatively useless software with an overly aggressive marketing campaign.