New Zero-Day memory injection vulnerability discovered in OS X

BurnIconXPCWorld is reporting that a new zero-day vulnerability has been found for OS X, which affects versions of OS X from 10.9.5 through to the recently-released 10.10.5. The problem comes from how NULL pointers in programs are handled, where malicious programs may use a special condition to bypass the default location where NULL code is directed to, and allow the program to bypass OS X’s security.

In OS X applications, there is a segment of memory called “_PAGEZERO” that consists of zero values, and is used to catch programming pointers (items that reference sections of memory) that are pointing to “NULL”, meaning that while present in the program, their functions are not used. In essence, this is the programmer telling the system “if you generate this information I do not want, I am going to have you immediately discard it.”

There are a number of programming reasons why the NULL pointers are useful; however, in programs that are missing this “_PAGEZERO” segment, the pointers to NULL may reference other sections of memory that are active, and thereby allow for code injection. When this is done, an attacker can then issue code to gain access to system root, and then essentially have full access to the system.

The vulnerability is not present in the current beta releases of OS X 10.11, where Apple is working to clamp down on security vulnerabilities. However, it being present in even the latest versions of prior OS X releases means if someone is tricked into running a malicious program that uses this exploit, then they may put their system at risk.

As with other exploits for OS X, this does require you download a faulty and malicious program, and then run this program. This makes avoiding such problems relatively easy to do, but means that you and others that use your system must be diligent in not executing any program that you did not purposefully install or download from a developer’s Web site, online store, or other reputable software repository.

The Italian developer who found this vulnerability has released a small bit of code called NULLGuard that intends to patch OS X by killing any running process that either lacks or has a faulty “_PAGEZERO” segment. Since essentially all valid programs should have a properly formatted _PAGEZERO segment, this is one way to prevent programs from running. Unfortunately, this patch is issued as an XCode project, meaning you will have to use developer tools to make use of it. Furthermore, this is an unsupported third-party patch for core OS X functionality, which comes with no guarantees of any kind.

As a result, you might be better off waiting for an official fix from Apple, and in the mean time simply observe good computing practices and avoid running any program unless you know exactly where it came from and understand its purpose. By simply doing this, you will be very well protected from this and practically all other exploits for OS X, which similarly require you initially download and run some unknown program.

6 thoughts on “New Zero-Day memory injection vulnerability discovered in OS X

  1. B. Jefferson Le Blanc

    I think it’s curious that this exploit can affect versions of OS X 10.9.5 through 10.10.5 and, apparently, no earlier versions of OS X. This is, of course, good news for anyone running Mountain Lion or earlier, but it means as well that Apple engineers actually programmed the vulnerability into Mavericks and Yosemite. This is not a confidence builder, to say the least, and is just one more strike against the OS X development teams, as if they needed any more challenges to their credibility and competence. Not that accountability is a thing at Apple any more. Else, why iTunes 12? Or Yosemite, for that matter.

  2. lkrupp215

    All these flaws and literally almost no one gets compromised by them, ever. We hear about these things, about how bad they are, about how the data Apocalypse is near and we should all go hide under our beds and wait for Armageddon. Then the alarming reports disappear and we never hear about them again. No reports of how many thousands of users have had their bank accounts emptied out by the latest boogeyman exploit. For example, anyone see anything about how many people’s lives were destroyed by the infamous Heartbleed SSL flaw? This baby was supposed to take down the entire Internet overnight according to the paranoid crowd. It was supposed to literally be the end of civilization as we know it.

    And what is the response of the hand wringers and security ‘experts?’ Well, they say, people don’t know they got compromised… but they did? Sounds like the conspiracy theory nuts who have an argument for anything that debunks their delusional mindsets.

    1. Who is Really Delusional?

      How do you think things like the Ashley Madison, OIG, and IRS hacks happen? The underlying exploits used for most hacks are not revealed, oftentimes because they’re impossible to track down after the fact. Since Heartbleed showed random segments of memory, a successful exploit would leave no trace, but would still give attackers credentials or other information required to further the attack.

      You definitely have little understanding of information security and may not even understand how computers work.

  3. Billy Buttons

    If you are tricked into running malicious code, then that’s enough frankly. You are the biggest security hole!

  4. Ian Weir

    Have the released a patch yet. NO. Seems that Apple can’t plug holes in existing OS’s in a reasonable amount of time. That tells me that they don’t take their customers security seriously or their own.

Comments are closed.