New Zero-Day memory injection vulnerability discovered in OS X

PCWorld is reporting that a new zero-day vulnerability has been found for OS X, which affects versions of OS X from 10.9.5 through to the recently-released 10.10.5. The problem comes from how NULL pointers in programs are handled, where malicious programs may use a special condition to bypass the default location where NULL code is directed to, and allow the program to bypass OS X’s security.

In OS X applications, there is a segment of memory called “_PAGEZERO” that consists of zero values, and is used to catch programming pointers (items that reference sections of memory) that are pointing to “NULL”, meaning that while present in the program, their functions are not used. In essence, this is the programmer telling the system “if you generate this information I do not want, I am going to have you immediately discard it.”

There are a number of programming reasons why the NULL pointers are useful; however, in programs that are missing this “_PAGEZERO” segment, the pointers to NULL may reference other sections of memory that are active, and thereby allow for code injection. When this is done, an attacker can then issue code to gain access to system root, and then essentially have full access to the system.

The vulnerability is not present in the current beta releases of OS X 10.11, where Apple is working to clamp down on security vulnerabilities. However, it being present in even the latest versions of prior OS X releases means if someone is tricked into running a malicious program that uses this exploit, then they may put their system at risk.

As with other exploits for OS X, this does require you download a faulty and malicious program, and then run this program. This makes avoiding such problems relatively easy to do, but means that you and others that use your system must be diligent in not executing any program that you did not purposefully install or download from a developer’s Web site, online store, or other reputable software repository.

The Italian developer who found this vulnerability has released a small bit of code called NULLGuard that intends to patch OS X by killing any running process that either lacks or has a faulty “_PAGEZERO” segment. Since essentially all valid programs should have a properly formatted _PAGEZERO segment, this is one way to prevent programs from running. Unfortunately, this patch is issued as an XCode project, meaning you will have to use developer tools to make use of it. Furthermore, this is an unsupported third-party patch for core OS X functionality, which comes with no guarantees of any kind.

As a result, you might be better off waiting for an official fix from Apple, and in the mean time simply observe good computing practices and avoid running any program unless you know exactly where it came from and understand its purpose. By simply doing this, you will be very well protected from this and practically all other exploits for OS X, which similarly require you initially download and run some unknown program.

Photo of author


Mac Issues

At Mac Issues, we're dedicated to helping you learn how to use your Macbook properly. With tutorials, how-to troubleshooting guides & real reviews, hopefully we can make your day that little bit easier.

Read more from Mac Issues