A vulnerability exists in OS X where an attacker can take advantage of a routine that is generally intended for logging, and overwrite system files. In doing so, the attacker can modify the system to allow bypassing of OS X’s security measures and give full “root” access to malware installers. The result of this is further modification to an affected Mac can be performed without any indication or authentication requirement.

The exploit uses an environmental variable in OS X called “DYLD_PRINT_TO_FILE” which allows a program to redirect error messages to a specific file, instead of to the systems standard error stream. By default, the standard error stream (stderr) allows error messages to be logged and otherwise handled by official system services, but if a developer wishes, this variable allows for alternative handling and logging. Unfortunately, a bug exists in this routine, such that if an existing file is specified, then the system will overwrite its contents.

This type of modification will generally corrupt a system, leading to instability such as crashes and hangs, but attackers are using this vulnerability to target the system’s “sudoers” file. This file contains rules governing which user accounts can run programs with “root” privileges, and what authentication steps are needed to do this. In general, this file is set so that only administrative accounts have this access, but are still required to supply a password. However, the attack overwrites this file in a way such that no authentication is needed.

When the attack is done, the malware can then modify any file and install any additional program it chooses. Currently, malware exploiting this vulnerability have been found by MalwareBytes, which use it for installing MacKeeper, VSearch, and Genieo, which are commonly unwanted third-party software programs that are often referred to as adware and junkware.

To check a system’s “sudoers” file, open the OS X Terminal and run the following command:

sudo cat /etc/sudoers

By running this command you have two modes for identifying this exploit. By default, this command will require you supply your password from an administrative account, so if it runs without you supplying this password, then something is wrong. Next, in the output of this command, check all of the lines that do not begin with a hash mark (#). This mark means these lines are not used, so the mark being absent means the line is active. For active (un-hashed) lines, if any contain the word NOPASSWD, then the file has been modified to allow root access without a password.

Unfortunately all current versions of OS X are vulnerable to this exploit, so it will take an update from Apple to supply a fix. However, while this may be concerning, do keep in mind that this exploit does require you download and run a nefarious malware installer. Currently no programs can automatically download and run on your Mac without you purposefully launching them, so your best bet at being safe is to simply monitor what programs you run. If you do not know where a program came from, then delete it and re-download it, or at least investigate it and confirm you know what it is before you run it. Some examples of suspicious downloads include:

• E-mail attachments recommending you open a program or link, especially from strange sources
• Any automatic download in your Web browser that you did not specifically click to perform
• Any program from Web sites that offer free software and services
• Any sites that issue persistent warnings about the security of your computer
• Any sites that appear to “lock” your computer and then require you call a support number to unlock the system.

Via: MalwareBytes (Thomas Reed)