Last month, Stefan Esser blogged about a zero-day vulnerability in OS X, without having informed Apple about the problem first. Unfortunately, today has brought the discovery of the first known exploit.
Adam Thomas, a researcher at Malwarebytes, discovered a new adware installer, and while testing it, he discovered something very strange: his sudoers file had been modified!
For those who don’t know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.
As can be seen from the code snippet shown here, the script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed. Part of the script involves deleting itself when it’s finished.
The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.
Then the script uses sudo’s new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer’s disk image, giving it full root permissions, and thus the ability to install anything anywhere. (This app is responsible for installing the VSearch adware.)
In addition to installing VSearch, the installer will also install a variant of the Genieo adware and the MacKeeper junkware. As its final operation, it directs the user to the Download Shuttle app on the Mac App Store.
This is obviously very bad news. Apple has evidently known about this issue for a while now – not due to Esser, but thanks to a responsible researcher going by the Twitter handle @beist, who had alerted Apple some time before Esser discovered the bug.
Unfortunately, Apple has not yet fixed this problem, and now it is beginning to bear fruit.
Worse, there is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.
Hopefully, this discovery will spur Apple to fix the issue more quickly.
In the meantime, as always, be careful what you download! For some practical tips in how to avoid these kinds of nasty installers, see How can I protect myself?, which is part of The Safe Mac’s Mac Malware Guide.



COMMENTS
Pingback: DYLD_PRINT_TO_FILE exploit found in the wild for OS X | MacIssues()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs - Daily Tech News()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | CTECH 3384()
Pingback: OS X Flaw in the Wild Abuses Error Logging Function to Edit sudoers | Qntra()
Pingback: Active OS X 10.10 zero-day exploit installs malware without need for system passwords | The Today Online()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | TechDiem.com()
Pingback: Active Mac OS X Exploit | Opinionated Information Security()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs - Apple Mac Training UK()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs()
Pingback: Apple OS X zero-day flaw hands over root access without system passwords | iTelNews()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required - Popular Trending | trends.my.id()
Pingback: A Privilege Bug in OS X Is Being Exploited to Hijack Macs - Press Today()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required — Cath News India()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required - Ask a Question and Get Answer Frequently Asked Questions()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | insurance()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | My Power Health()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required24h khỏe đẹp()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | AllPhoneNews()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Daily_V()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Taiwan NO 01()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | iTruckTV()
Pingback: Mac OS X Kusurları Apple İmajına Zarar Veriyor()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Thalaippu()
Pingback: DYLD_PRINT_TO_FILE exploit found in the wild | vyagers()
Pingback: Kritische Sicherheitslücke in OS X: Warum Apple jetzt schnell reagieren muss | t3n()
Pingback: In-the-wild attack exploits unpatched OS X zero-day flaw()
Pingback: В прошивке компьютеров Mac выявлена очередная уязвимость | Gadgets News()
Pingback: New OS X vulnerability being exploited in the wild. | Information Technology News()
Pingback: OS X-bug laat malware ongezien toe | Appleweetjes()
Pingback: Hackers are installing malware on Macbooks — and there’s nothing you can do to stop them (AAPL) | Digital Wealth()
Pingback: Hackers are installing malware on Macbooks — and there’s nothing you can do to stop them (AAPL) | HEALTH O NEWS()
Pingback: First Known Exploit of Apple DYLD_PRINT_TO_FILE Vulnerability Discovered in the Wild | Dennis Nadeau Complaint Blog()
Pingback: Hackers are installing malware on Macbooks — and there’s nothing you can do to stop them (AAPL) - Totempool Totempool()
Pingback: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password - Middle East Post | Middle East Post()
Pingback: Hackers are installing malware on Macbooks — and there’s nothing you can do to stop them (AAPL) - Press Today()
Pingback: A New Bug In OS X That Leaves Mac Users Vulnerable | applea2z()
Pingback: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password | HacktheW0r1d()
Pingback: Sicherheitslücke in OS X 10.10.4 lässt Malware ohne Passwort-Eingabe installieren - Apfelnews()
Pingback: New Mac Exploit Spotted In The Wild With No Way To Protect Yourself | The IT Nerd()
Pingback: La última beta de OS X El Capitán contiene un grave problema de seguridad - Applelizados()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | Kikk Start Consulting()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | News Aggregator()
Pingback: Two Mac viruses strike at the heart of the platform's secure image | New Feeds UK()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | SEO News | Technology News | Insurance News | Mecwan.com()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | ShoutYourSite()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | Tech Feed - CPN DEV()
Pingback: SANSANI | OS X Zero-Day Exploit Lets Attackers Gain Root Access()
Pingback: OS X 嚴重漏洞,讓駭客無需密碼即可攻擊 Mac 電腦-大雨头条()
Pingback: OS X 10.10 Zero Day Exploit Can Install Malware With No Need for System Password | MacTrast()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | Bain Daily()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware - DailyScene.comDailyScene.com()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | Public Relations()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | eventsoftwp()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs - #1 Info Portal()
Pingback: Watch out for these serious Mac attacks | Prosperitized.com()
Pingback: Watch out for these serious Mac attacks – News-9.com – The best Source of Latest Worldwide News()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware - **** on Heels()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | JogleApp()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | Creative Crate()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | BW:NET | UK & USA VPS Servers | Shared Hosting | UK Dedicated Servers | Domain Registration | Freelance Webhosting()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware » Today's America()
Pingback: Two Mac viruses strike at the heart of the platform’s secure image – The Guardian | NewsBreakOnline.com()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware - BillAggelopoulos.com()
Pingback: Descubierta una vulnerabilidad en OS X que permite la instalación de software sin requerir contraseña()
Pingback: 0-Day Bug in Fully Patched OS X Comes Under Active Exploit to Hijack Macs | Forensic News()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | Change your style, keep your budget()
Pingback: 0-Day Exploit Bug on Apple’s MacOS X (Yosemite) | Techorks – Business & Technology News()
Pingback: Hackers are installing malware on Macbooks - and there's nothing you can do to stop them - Shout@Web()
Pingback: Practical Help for Your Digital Life®News for This Week - Practical Help for Your Digital Life®()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs • TechRinger()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | Come Here to compare()
Pingback: Mac root exploit spotted in the wild installing malware | Digital Trends()
Pingback: Wall Street National | Watch out for these serious Mac attacks - Wall Street National()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware • ViralLine()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | I love going shopping.()
Pingback: Two Mac viruses strike at the heart of the platform's secure image | MASHINATION()
Pingback: DYLD_PRINT_TO_FILE exploit | Mac Virus()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware - News()
Pingback: So much for the unhackable Mac: Root exploit hits the wild with no fix in sight | mind your mac()
Pingback: Mac fans! Don’t run any old guff from the web: Malware spotted exploiting OS X root bug | TechDiem.com()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | Hooked Digital Media.Org()
Pingback: Mac OS X: Malware nutzt Root-Exploit in Yosemite offenbar aktiv aus | ARTSIN MAC News und Updates()
Pingback: A Privilege Bug In OS X Is Being Exploited To Hijack Macs | Gizmodo Australia()
Pingback: Ars Technica - Apple Mac Training UK()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | I actually hate shopping.()
Pingback: Uma falha de privilégio no OS X é usada para invadir Macs | Tech News()
Pingback: Nuevo 0day en Mac OS X permite acceso root - Noticias de Tecnología, Noticias de Tecnología en México, Noticias de Tecnología en el mundoNoticias de Tecnología, Noticias de Tecnología en México, Noticias de Tecnología en el mundo()
Pingback: POKORNY | DYLD_PRINT_TO_FILE and malware: What you need to know()
Pingback: ste williams – Mac fans! Don’t run any old guff from the web: Malware spotted exploiting OS X root bug()
Pingback: Watch out for these serious Mac attacks | Stock Sector()
Pingback: Una falla in Mac OS X Yosemite espone gli utenti al rischio di malware | NUTesla | The Informant()
Pingback: DYLD_PRINT_TO_FILE and malware: What you need to know - SMART News Smart Reading()
Pingback: A flaw in Mac OS X Yosemite exposes users to the risk of malware - Wisely Guide()
Pingback: Two Mac viruses strike at the heart of the platform's secure image()
Pingback: 0-day bug in fully patched OS X comes under active exploit to bypass password protection | TechDiem.com()
Pingback: Mac attack: OS X Yosemite hit by zero-day vulnerability()
Pingback: AtomTimes » Malware OS X 10.10: Bug sicurezza installa adware senza richiedere password()
Pingback: Hackers are Exploiting an OS X Flaw to Install Tricky Adware | Technology and Lifestyle()
Pingback: Apple will fix Mac OS X bug amid security concerns | New Feeds UK()
Pingback: Una vulnerabilidad de día cero para Mac OS X permite a un atacante instalar malware()
Pingback: Hackers exploit OS X zero-day vulnerability | esetireland()
Pingback: Thunderstrike 2 y fallo de Seguridad OSX | SOLCER ACTUAL()
Pingback: Sicherheitslücke in Yosemite wird bereits aktiv ausgenutzt - botfrei Blog()
Pingback: Apple promises fix for major security flaw in OS X Yosemite | ITProPortal.com()
Pingback: New zero-day attack threatens fully patched OS X | Serzy it now()
Pingback: New zero-day attack threatens fully patched OS X | BiznessWeb.net()
Pingback: New zero-day attack threatens fully patched OS X | Get Impressive News()
Pingback: New zero-day attack threatens fully patched OS X | 83news.com()
Pingback: New zero-day attack threatens fully patched OS X | Horizon Post()
Pingback: New zero-day attack threatens fully patched OS X | Viral World news()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | TechCrunch()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Bain Daily()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | FreshPK()
Pingback: ثغرة خطيرة في نظام OS X 10.10 | تطور التقني()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Tech News Magazines()
Pingback: New Zero-Day Exploit Can Completely Brick Your MacTech Giant News()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Does Everybody Dream?()
Pingback: » New Zero-Day Exploit Can Completely Brick Your MacReview CJD()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Cool()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac - DailyScene.comDailyScene.com()
Pingback: Encontrada la vulnerabilidad de OS X DYLD_PRINT_TO_FILE en acción – Como parchear tu Mac | SecurePyme()
Pingback: Two Mac viruses strike at the heart of the platform's secure image - Priority 1 Computer Service()
Pingback: DYLD_PRINT_TO_FILE exploit found in the wild – BSD Systems()
Pingback: Apple will patch the DYLD bug in its next OS X release | insurance()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Entire News Link()
Pingback: Apple will patch the DYLD bug in its next OS X release | My Power Health()
Pingback: Apple will patch the DYLD bug in its next OS X release |()
Pingback: Apple will patch the DYLD bug in its next OS X release()
Pingback: Apple will patch the DYLD bug in its next OS X release - Ask a Question and Get Answer Frequently Asked Questions()
Pingback: Apple will patch the DYLD bug in its next OS X release — Cath News India()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة «المحترف» - الخبر السابع()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة «المحترف»()
Pingback: Apple will patch the DYLD bug in its next OS X release | Daily_V()
Pingback: Mac OS X Yosemite tiene un fallo que permitiría instalar malware | la tienda de jm()
Pingback: Apple will patch the DYLD bug in its next OS X release - Popular Trending | trends.my.id()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | U.N.I.C. TIMES()
Pingback: Apple to fix security bug in laptops, desktops – CBS News | Popular Gadgets Sale()
Pingback: SiliconBeat – Macs have flaws too — Researchers find security bugs in Apple computers()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Pakistan Biggest Portal to Provide Latest News & Entertainment!()
Pingback: Engadget | Technology News, Advice and Features | Taiwan NO 01()
Pingback: Engadget | Technology News, Advice and Features | insurance()
Pingback: Apple will patch the DYLD bug in its next OS X release | Thalaippu()
Pingback: DYLD_PRINT_TO_FILE and malware: What you need to know - How to do everything!()
Pingback: Hackers usan exploit en OS X para instalar malware | YaLoSabe.net()
Pingback: New zero-day attack threatens fully patched OS X | Revealed Tech - Latest Technology News Portal()
Pingback: Macを完全なガラクタにしてしまうゼロデイエクスプロイトが発見された | TechCrunch Japan()
Pingback: A Privilege Bug in OS X Is Being Exploited to Hijack Macs | The Fat Cat Collective()
Pingback: Macを完全なガラクタにしてしまうゼロデイエクスプロイトが発見された | GarbWeeks()
Pingback: Why you shouldn't freak out about this week's scary-sounding Mac exploits | Magazine4Life()
Pingback: OS X 严重漏洞,让骇客无需密码即可攻击 Mac 电脑 | 虎扑()
Pingback: Sicherheitslücken im Doppelpack bei Apple | LC Production()
Pingback: New zero-day attack threatens fully patched OS X | NUTesla | The Informant()
Pingback: For Mac Users: Watch out for these serious Mac attacks, they are terrible | 319 Magazine()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة | عرب ديجيتال()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | FineDir.info()
Pingback: Hackers usan exploit en OS X para instalar malware - GameFreaks Blog()
Pingback: Virus para OS X: un bug permite instalarlos con privilegios | ActualAPP()
Pingback: Attackers exploit Mac vulnerability in the wild | Latest News Global()
Pingback: Why you shouldn’t freak out about this week’s scary-sounding Mac exploits | The Today Online()
Pingback: Heb je een Mac, wees dan extra voorzichtig op het Internet. - STS Computers()
Pingback: Apple 將在下一版 OS X 更新中修復 DYLD 漏洞-大雨头条()
Pingback: Engadget | Technology News, Advice and Features | Super Deal Shopper()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Super Deal Shopper()
Pingback: Two Mac viruses strike at the heart of the platform's secure image - Resman - Network Support in Liverpool Resman – Network Support in Liverpool()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة | كل يوم فكرة()
Pingback: Why you shouldn’t freak out about this week’s scary-sounding Mac exploits | AppsGood()
Pingback: Crooks exploit public bug to plant adware on Yosemite Macs | Templar Shield()
Pingback: 1 – OS X sudoers exploit found in the wild | Offer Your()
Pingback: New zero-day attack threatens fully patched OS X | My Blog()
Pingback: 1 – OS X sudoers exploit found in the wild | Exploding Ads()
Pingback: In a huge move, IBM begins pitching Apple Macs for enterprise IT | Curious()
Pingback: Új biztonsági rés az OS X-ben - Androgeek()
Pingback: OS X sudoers exploit found in the wild | Your Security Source!!()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac - Printer Ink | Laptop Repair & Computer Repair San Diego Ca()
Pingback: Crooks exploit public bug to plant adware on Yosemite Macs | IT Hospital()
Pingback: Engadget | Technology News, Advice and Features | Super Deal Shopper()
Pingback: Apple will patch the DYLD bug in its next OS X release | Super Deal Shopper()
Pingback: OS X 严重漏洞,让骇客无需密码即可攻击 Mac 电脑 | 天蓝()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Blog Hub()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Dennis Nadeau Complaint Blog()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | News()
Pingback: A Week in Security (Aug 02 – Aug 08) | Malwarebytes Unpacked()
Pingback: Crooks exploit public bug to plant adware on Yosemite Macs - IT Aid Centre()
Pingback: What you should know about the OS X flaw - GadgeTell | TechnologyTell()
Pingback: Zero-Day Exploit Can Completely Brick Your Mac | Jason Sojka()
Pingback: Apple 将在下一版 OS X 更新中修复 DYLD 漏洞 | 虎扑()
Pingback: Adware affects Mac users - ExpressVPN()
Pingback: Apple исправила важную уязвимость в OS X()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | PSD Total()
Pingback: Apple исправила важную уязвимость в OS X - Терещенко. Просто. Профессионально()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Chup Anh Cuoi Gia ReChup Anh Cuoi Gia Re()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Cikkek()
Pingback: 0-day bug in fully patched OS X comes under active exploit to bypass password protection » Apssites()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Boxkondee.com()
Pingback: Apple исправила важную уязвимость в OS X | Malanris's site()
Pingback: Apple fixed the vulnerability in OS X | Voice of America()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered | Tech Feed - CPN DEV()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered - iOS Gears()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered | TheApplePips.com()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered - George Nicolaou()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered | DoFollowMe()
Pingback: Descubierta nueva vulnerabilidad que afecta a OS X 10.10.5 - Applelizados()
Pingback: [GadgeTell] What you should know about the OS X flaw | WWE Battleground Results, WWE Superstars and WWE Wallpapers! | All about Divas, Superstars, News and Tournaments!()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Hack3r Club()
Pingback: Ce que vous devez savoir sur Les Failles de MAC OSX | 01News()
Pingback: Newly discovered Mac malware tarnishes Apple’s security credentials | Maitland Business Tax()
Pingback: Newly discovered Mac malware tarnishes Apple’s security credentials | Best Cloud Accounting()
Pingback: LUXURY ART | OS X flaw leaves Macs vulnerable to attacks, no password required()
Pingback: Genieo installer tricks keychain | Malwarebytes Unpacked()
Pingback: The Safe Mac » Genieo installer tricks keychain()
Pingback: Genieo installer tricks keychain | vyagers()
Pingback: Twin Cities Mac Admins » Meetup notes – August 26, 2015()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Expl0itsExpl0its()
Pingback: Cloud Accounting Support()
Pingback: Apple:DYLD_PRINT_TO_FILE & sudoers Exploit: What are the markers in the sudoers file? – Apple Questions()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Daily Hackers News()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة | تقدر TEQDAR()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Hackers Talks()
Pingback: Archive News of the Week - Practical Help for Your Digital Life®()
Pingback: DYLD_PRINT_TO_FILE exploit found in the wild | BSD Systems()
Pingback: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password - Science and Technology - hettiginteractive.com()