OS X Zero-Day Exploit Lets Attackers Gain Root Access

A zero-day vulnerability has been revealed in Apple's OS X 10.10 that can give attackers root access to the system. Once the root access has been gained, attackers can of course do pretty much anything on the system. The vulnerability has been reportedly been patched in the first beta versions of OS X 10.11 El Capitan but not in the current OS X 10.10.4 and 10.10.5 developer release.

The bug resides in the new error-logging feature which Apple introduced with OS X 10.10 Yosemite. The code lacks the OS X dynamic linker dyld, an integral part of an operating system that links and loads shared libraries needed by executable programs. Without it, attackers are able to open and create files without needing any password permission from the administrator. The first exploit method to take advantage of the vulnerability has been found.

On Monday, Malwarebytes researcher Adam Thomas reported the exploit after he found the sudoers - the files that decide which users are permitted to have the root access in a Unix shell - had been modified on his test system by an adware installer.

The vulnerability has piqued the interest of attackers. Malwarebytes reports that attackers are using a new malicious installer - called VSInstaller - to infect Macs with VSearch, Genieo and MacKeeper adwares. Once that is done, it is able to download and install more malicious codes from the Web.

VSInstaller can be spotted in a hidden directory of the adware image. The DYLD_PRINT_TO_FILE vulnerability was first disclosed by security researcher Stefan Esser, and Thomas claims Esser did not inform Apple about the vulnerability first. He adds that Apple was informed by another researcher earlier. Esser has created a patch fixing the vulnerability, but until Apple releases an official patch for OS X 10.10.4 and 10.10.5 beta, most users don't have any other choice but to wait.