DYLD_PRINT_TO_FILE exploit found in the wild

Posted: August 3, 2015 by Thomas Reed
Last updated: March 31, 2016

Last month, Stefan Esser blogged about a zero-day vulnerability in OS X, without having informed Apple about the problem first. Unfortunately, today has brought the discovery of the first known exploit.

Adam Thomas, a researcher at Malwarebytes, discovered a new adware installer, and while testing it, he discovered something very strange: his sudoers file had been modified!

For those who don’t know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

As can be seen from the code snippet shown here, the script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed. Part of the script involves deleting itself when it’s finished.

The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.

Then the script uses sudo’s new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer’s disk image, giving it full root permissions, and thus the ability to install anything anywhere. (This app is responsible for installing the VSearch adware.)

In addition to installing VSearch, the installer will also install a variant of the Genieo adware and the MacKeeper junkware. As its final operation, it directs the user to the Download Shuttle app on the Mac App Store.

This is obviously very bad news. Apple has evidently known about this issue for a while now – not due to Esser, but thanks to a responsible researcher going by the Twitter handle @beist, who had alerted Apple some time before Esser discovered the bug.

Unfortunately, Apple has not yet fixed this problem, and now it is beginning to bear fruit.

Worse, there is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.

Hopefully, this discovery will spur Apple to fix the issue more quickly.

In the meantime, as always, be careful what you download! For some practical tips in how to avoid these kinds of nasty installers, see How can I protect myself?, which is part of The Safe Mac’s Mac Malware Guide.

COMMENTS

Pingback: DYLD_PRINT_TO_FILE exploit found in the wild for OS X | MacIssues()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs - Daily Tech News()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | CTECH 3384()
Pingback: OS X Flaw in the Wild Abuses Error Logging Function to Edit sudoers | Qntra()
Pingback: Active OS X 10.10 zero-day exploit installs malware without need for system passwords | The Today Online()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | TechDiem.com()
Pingback: Active Mac OS X Exploit | Opinionated Information Security()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs - Apple Mac Training UK()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs()
Pingback: Apple OS X zero-day flaw hands over root access without system passwords | iTelNews()
Tim Tian

Oh geez, if a person that isn’t worth several billion can do it with less warning (well, several hundred billion, not that I’m expecting either to throw all their money at it), then why can’t Apple? Yes, I hope very much that Apple fixes this soon.
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required - Popular Trending | trends.my.id()
Pingback: A Privilege Bug in OS X Is Being Exploited to Hijack Macs - Press Today()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required — Cath News India()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required - Ask a Question and Get Answer Frequently Asked Questions()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | insurance()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | My Power Health()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required24h khỏe đẹp()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | AllPhoneNews()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Daily_V()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Taiwan NO 01()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | iTruckTV()
Pingback: Mac OS X Kusurları Apple İmajına Zarar Veriyor()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Thalaippu()
Pingback: DYLD_PRINT_TO_FILE exploit found in the wild | vyagers()
Crazy Harry

Users who aren’t logged in as administrators, are they vulnerable to this exploit?
bobthedino2000

Good write-up, but one minor point: the /etc/sudoers file is not really a “hidden file”. You can see it in the Finder if you use the “Go->Go to Folder…” command and enter “/etc”.
Pingback: Kritische Sicherheitslücke in OS X: Warum Apple jetzt schnell reagieren muss | t3n()
Pingback: In-the-wild attack exploits unpatched OS X zero-day flaw()
Pingback: В прошивке компьютеров Mac выявлена очередная уязвимость | Gadgets News()
m4rkw

The author of this post is an idiot for attacking Esser. He was very clear that Apple already knew about the bug for several months before he dropped the exploit – it’s already fixed in El Capitan. He only released it in an effort to motivate Apple to bother fixing a bug that they apparently weren’t going to bother with (latest Yosemite beta did not include the fix), leaving millions of users vulnerable to what is quite a trivial exploit.

He also provided free mitigation with the release, which Apple has so far failed to do even after knowing about the bug for several months. Perhaps Mr Thomas Reed should have read Esser’s release article in full before writing this, and direct his misinformed vitriol towards the billion-dollar company that is failing to make reasonable efforts to keep its users secure rather than the lone security researcher providing security fixes for a commercial operating system to the general public for free.
Pingback: New OS X vulnerability being exploited in the wild. | Information Technology News()
Pingback: OS X-bug laat malware ongezien toe | Appleweetjes()
Pingback: Hackers are installing malware on Macbooks — and there’s nothing you can do to stop them (AAPL) | Digital Wealth()
Pingback: Hackers are installing malware on Macbooks — and there’s nothing you can do to stop them (AAPL) | HEALTH O NEWS()
Pingback: First Known Exploit of Apple DYLD_PRINT_TO_FILE Vulnerability Discovered in the Wild | Dennis Nadeau Complaint Blog()
Pingback: Hackers are installing malware on Macbooks — and there’s nothing you can do to stop them (AAPL) - Totempool Totempool()
Pingback: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password - Middle East Post | Middle East Post()
Pingback: Hackers are installing malware on Macbooks — and there’s nothing you can do to stop them (AAPL) - Press Today()
Pingback: A New Bug In OS X That Leaves Mac Users Vulnerable | applea2z()
Pingback: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password | HacktheW0r1d()
EdisonCarter

It’s only really “fixed” in El Capitan as a side effect of Apple introducing the new – and widely reported – “rootless” security feature which introduces fine grained file permissions.

Can you provide any actual other proof that Apple sat on this report for months and did nothing?

Maybe you should research your facts better before going around calling other people idiots.
Pingback: Sicherheitslücke in OS X 10.10.4 lässt Malware ohne Passwort-Eingabe installieren - Apfelnews()
Pingback: New Mac Exploit Spotted In The Wild With No Way To Protect Yourself | The IT Nerd()
Pingback: La última beta de OS X El Capitán contiene un grave problema de seguridad - Applelizados()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | Kikk Start Consulting()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | News Aggregator()
Pingback: Two Mac viruses strike at the heart of the platform's secure image | New Feeds UK()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | SEO News | Technology News | Insurance News | Mecwan.com()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | ShoutYourSite()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware on Mac computers | Tech Feed - CPN DEV()
Pingback: SANSANI | OS X Zero-Day Exploit Lets Attackers Gain Root Access()
Pingback: OS X 嚴重漏洞，讓駭客無需密碼即可攻擊 Mac 電腦-大雨头条()
Poik

The proof was in the article, fifth to last paragraph.
Pingback: OS X 10.10 Zero Day Exploit Can Install Malware With No Need for System Password | MacTrast()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | Bain Daily()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware - DailyScene.comDailyScene.com()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | Public Relations()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | eventsoftwp()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs - #1 Info Portal()
Pingback: Watch out for these serious Mac attacks | Prosperitized.com()
Pingback: Watch out for these serious Mac attacks – News-9.com – The best Source of Latest Worldwide News()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware - **** on Heels()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | JogleApp()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | Creative Crate()
Michael

Actually the entire /etc directory is marked as hidden, thats why you need to use the Go to Folder menu option to find it. You can’t just brows to it as you would most other files.
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | BW:NET | UK & USA VPS Servers | Shared Hosting | UK Dedicated Servers | Domain Registration | Freelance Webhosting()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware » Today's America()
Pingback: Two Mac viruses strike at the heart of the platform’s secure image – The Guardian | NewsBreakOnline.com()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware - BillAggelopoulos.com()
Pingback: Descubierta una vulnerabilidad en OS X que permite la instalación de software sin requerir contraseña()
Pingback: 0-Day Bug in Fully Patched OS X Comes Under Active Exploit to Hijack Macs | Forensic News()
Thomas Reed

In Esser’s original post revealing the vulnerability, he said, “At the moment it is unclear if Apple knows about this security problem or not.” That’s pretty clear cut.

Also, it’s Esser’s assumption – which some people are echoing – that Apple deliberately fixed this issue in El Capitan, while also deliberately not fixing it in Yosemite. To me, that seems a bit far-fetched, and there’s no evidence for it whatsoever. They haven’t stopped putting out security releases for Yosemite just because El Capitan is in beta.

Further, you’ll notice that although I don’t particularly like the way Esser handled the release of this vulnerability, I don’t say anywhere that it’s not Apple’s fault. In fact, I’m calling them out above, if you re-read the article, by pointing out that it had become evident later that someone else had informed them of the issue.
Andrew

UNANSWERED QUESTIONS: What is the source of this installer? Was it a binary carrying an Apple trust signature? Does it use Apple’s standard “installer”? Does this installer request authentication by an administrative user in order to deliver its payload?

Follow-up questions indicating this is really a pointless article:
Why should we be surprised that a bogus third-party installer not on the App Store is a Trojan Horse? If so, why should Apple be held culpable when the user authenticates for root permissions on an installer outside the App Store? When was the last time anyone sane ran an adware installer, other than a researcher?
Thomas Reed

Yes, this exploit will affect a non-admin user just as easily as an admin user, unfortunately.
Thomas Reed

For someone well-versed in Unix, the file is not hidden. For the average Mac user, though, it may as well not exist, as they will probably not be at all aware of even the existence of the /etc/ directory. For all intents and purposes, it is hidden.
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | Change your style, keep your budget()
Pingback: 0-Day Exploit Bug on Apple’s MacOS X (Yosemite) | Techorks – Business & Technology News()
Pingback: Hackers are installing malware on Macbooks - and there's nothing you can do to stop them - Shout@Web()
Pingback: Practical Help for Your Digital Life®News for This Week - Practical Help for Your Digital Life®()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs • TechRinger()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | Come Here to compare()
Pingback: Mac root exploit spotted in the wild installing malware | Digital Trends()
Pingback: Wall Street National | Watch out for these serious Mac attacks - Wall Street National()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware • ViralLine()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | I love going shopping.()
Pingback: Two Mac viruses strike at the heart of the platform's secure image | MASHINATION()
NeoStargate

Is Download Shuttle safe to use?

I downloaded it from the Mac App Store and it is the best app for accelerating downloads, that I have found. It also seems properly sandboxed since it can’t download to folders without previous permission. But this makes me insecure about using it.
Mark Choi

Um, that has absolutely nothing to do with how the issue is fixed in 10.11.
Pingback: DYLD_PRINT_TO_FILE exploit | Mac Virus()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware - News()
Pingback: So much for the unhackable Mac: Root exploit hits the wild with no fix in sight | mind your mac()
ChiDev

I prefer to use Progressive Downloader. There’s a chance it’s clean, there’s a chance it’s not.
Pingback: Mac fans! Don’t run any old guff from the web: Malware spotted exploiting OS X root bug | TechDiem.com()
Pingback: Hackers are exploiting an OS X flaw to install unwanted adware | Hooked Digital Media.Org()
Pingback: Mac OS X: Malware nutzt Root-Exploit in Yosemite offenbar aktiv aus | ARTSIN MAC News und Updates()
Pingback: A Privilege Bug In OS X Is Being Exploited To Hijack Macs | Gizmodo Australia()
Pingback: Ars Technica - Apple Mac Training UK()
Pingback: 0-day bug in fully patched OS X comes under active exploit to hijack Macs | I actually hate shopping.()
Pingback: Uma falha de privilégio no OS X é usada para invadir Macs | Tech News()
Pingback: Nuevo 0day en Mac OS X permite acceso root - Noticias de Tecnología, Noticias de Tecnología en México, Noticias de Tecnología en el mundoNoticias de Tecnología, Noticias de Tecnología en México, Noticias de Tecnología en el mundo()
Pingback: POKORNY | DYLD_PRINT_TO_FILE and malware: What you need to know()
Pingback: ste williams – Mac fans! Don’t run any old guff from the web: Malware spotted exploiting OS X root bug()
Pingback: Watch out for these serious Mac attacks | Stock Sector()
Pingback: Una falla in Mac OS X Yosemite espone gli utenti al rischio di malware | NUTesla | The Informant()
Pingback: DYLD_PRINT_TO_FILE and malware: What you need to know - SMART News Smart Reading()
Pingback: A flaw in Mac OS X Yosemite exposes users to the risk of malware - Wisely Guide()
Pingback: Two Mac viruses strike at the heart of the platform's secure image()
Pingback: 0-day bug in fully patched OS X comes under active exploit to bypass password protection | TechDiem.com()
Pingback: Mac attack: OS X Yosemite hit by zero-day vulnerability()
Pingback: AtomTimes » Malware OS X 10.10: Bug sicurezza installa adware senza richiedere password()
Pingback: Hackers are Exploiting an OS X Flaw to Install Tricky Adware | Technology and Lifestyle()
Pingback: Apple will fix Mac OS X bug amid security concerns | New Feeds UK()
Pingback: Una vulnerabilidad de día cero para Mac OS X permite a un atacante instalar malware()
Pingback: Hackers exploit OS X zero-day vulnerability | esetireland()
Pingback: Thunderstrike 2 y fallo de Seguridad OSX | SOLCER ACTUAL()
Steve Lee

May I ask a question: for a user logging in as Standard User, Mac configured not to accept programs by unknown publisher. Will the user by equally vulnerable?
Pingback: Sicherheitslücke in Yosemite wird bereits aktiv ausgenutzt - botfrei Blog()
Pingback: Apple promises fix for major security flaw in OS X Yosemite | ITProPortal.com()
Pingback: New zero-day attack threatens fully patched OS X | Serzy it now()
Pingback: New zero-day attack threatens fully patched OS X | BiznessWeb.net()
Pingback: New zero-day attack threatens fully patched OS X | Get Impressive News()
James Botting

I’m sorry, but I’m with m4rkw. Your tone in this article makes for a terrible read, and I don’t believe it is justified. Regardless of *your* intentions in the article, it reads like you blame Esser for the exploit, not Apple.
Pingback: New zero-day attack threatens fully patched OS X | 83news.com()
Pingback: New zero-day attack threatens fully patched OS X | Horizon Post()
Pingback: New zero-day attack threatens fully patched OS X | Viral World news()
Thomas Reed

As I’ve already stated, the exploit is obviously not Esser’s fault. That shouldn’t need to be said. It’s simply self-evident. Apple wrote the code, Apple is responsible for it.

However, Esser does bear the responsibility for releasing this as a zero-day into the wild, without giving Apple any chance to respond first (as far as he knew at the time). I don’t believe for one minute that these inept adware scammers would have found this vulnerability on their own. (They just aren’t that good.) Thus, Esser’s actions directly enabled them to exploit a vulnerability they wouldn’t have even known about.

The only good thing to come out of this is that it may spur Apple on to fix the problem more quickly.
James Botting

And I don’t believe that you can quote that he didn’t even attempt to speak to apple by just quoting something he said from the post, without even attempting to contact him or find out. Again, and in this comment thread, your tone is incredibly accusatory for someone who has actually fixed the exploit, and I don’t believe it is helpful to the situation one iota.
Thomas Reed

I don’t understand why something he said in his blog post shouldn’t be taken to mean what it says.

However, I will note that I did mention this to him on Twitter weeks ago, and he never denied that he’d made no attempt to contact Apple. That was kind of a core assumption for the conversation, so I’m sure it would have come up if he thought that was inaccurate.

In any case, all this is irrelevant to the issue being discussed in the article, and I’m not going to spend further time debating Esser’s behavior. I’ve said my piece, and I’m done with it. Ironically, I’d have been done with it quicker, but folks keep poking me about it… 😉
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | TechCrunch()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Bain Daily()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | FreshPK()
Pingback: ثغرة خطيرة في نظام OS X 10.10 | تطور التقني()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Tech News Magazines()
Pingback: New Zero-Day Exploit Can Completely Brick Your MacTech Giant News()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Does Everybody Dream?()
Pingback: » New Zero-Day Exploit Can Completely Brick Your MacReview CJD()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Cool()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac - DailyScene.comDailyScene.com()
Pingback: Encontrada la vulnerabilidad de OS X DYLD_PRINT_TO_FILE en acción – Como parchear tu Mac | SecurePyme()
Pingback: Two Mac viruses strike at the heart of the platform's secure image - Priority 1 Computer Service()
Pingback: DYLD_PRINT_TO_FILE exploit found in the wild – BSD Systems()
Pingback: Apple will patch the DYLD bug in its next OS X release | insurance()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Entire News Link()
Pingback: Apple will patch the DYLD bug in its next OS X release | My Power Health()
Pingback: Apple will patch the DYLD bug in its next OS X release |()
Pingback: Apple will patch the DYLD bug in its next OS X release()
Pingback: Apple will patch the DYLD bug in its next OS X release - Ask a Question and Get Answer Frequently Asked Questions()
Pingback: Apple will patch the DYLD bug in its next OS X release — Cath News India()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة «المحترف» - الخبر السابع()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة «المحترف»()
James Manes

Ugh… I always run as a standard user. Was hoping it would make a difference for this.
Pingback: Apple will patch the DYLD bug in its next OS X release | Daily_V()
Pingback: Mac OS X Yosemite tiene un fallo que permitiría instalar malware | la tienda de jm()
Pingback: Apple will patch the DYLD bug in its next OS X release - Popular Trending | trends.my.id()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | U.N.I.C. TIMES()
Pingback: Apple to fix security bug in laptops, desktops – CBS News | Popular Gadgets Sale()
Pingback: SiliconBeat – Macs have flaws too — Researchers find security bugs in Apple computers()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Pakistan Biggest Portal to Provide Latest News & Entertainment!()
Pingback: Engadget | Technology News, Advice and Features | Taiwan NO 01()
Pingback: Engadget | Technology News, Advice and Features | insurance()
Pingback: Apple will patch the DYLD bug in its next OS X release | Thalaippu()
Pingback: DYLD_PRINT_TO_FILE and malware: What you need to know - How to do everything!()
Pingback: Hackers usan exploit en OS X para instalar malware | YaLoSabe.net()
Latchezar Tzvetkoff

No one seems to see the real problem – it’s once again the DYLDo… Apple’s own hacks in the loader resemble much of the hacks once known (and heavily exploited) in the Linux kernel.
Pingback: New zero-day attack threatens fully patched OS X | Revealed Tech - Latest Technology News Portal()
Pingback: Macを完全なガラクタにしてしまうゼロデイエクスプロイトが発見された | TechCrunch Japan()
Pingback: A Privilege Bug in OS X Is Being Exploited to Hijack Macs | The Fat Cat Collective()
Pingback: Macを完全なガラクタにしてしまうゼロデイエクスプロイトが発見された | GarbWeeks()
Pingback: Why you shouldn't freak out about this week's scary-sounding Mac exploits | Magazine4Life()
Pingback: OS X 严重漏洞，让骇客无需密码即可攻击 Mac 电脑 | 虎扑()
Pingback: Sicherheitslücken im Doppelpack bei Apple | LC Production()
Pingback: New zero-day attack threatens fully patched OS X | NUTesla | The Informant()
Pingback: For Mac Users: Watch out for these serious Mac attacks, they are terrible | 319 Magazine()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة | عرب ديجيتال()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | FineDir.info()
magus007

What is the point of telling Apple… it is not like they will do anything about it… The have to go through the crisis that they really are not perfect and a fundamental belief that they are protected from security problems by the genius of Steve Jobs. They only act on security problems quickly if a B list celeb is hacked.
Pingback: Hackers usan exploit en OS X para instalar malware - GameFreaks Blog()
Pingback: Virus para OS X: un bug permite instalarlos con privilegios | ActualAPP()
Pingback: Attackers exploit Mac vulnerability in the wild | Latest News Global()
Pingback: Why you shouldn’t freak out about this week’s scary-sounding Mac exploits | The Today Online()
Pingback: Heb je een Mac, wees dan extra voorzichtig op het Internet. - STS Computers()
Pingback: Apple 將在下一版 OS X 更新中修復 DYLD 漏洞-大雨头条()
Stooker Adams

No they won’t. Don’t change that setting to “Anywhere”. By default you are not vulnerable because that setting is not on “Anywhere”.
Pingback: Engadget | Technology News, Advice and Features | Super Deal Shopper()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Super Deal Shopper()
Thomas Reed

That app may have simply been the “bait” used to trick the user into downloading, and may be completely innocent. No sign that it’s malicious at this point. Apple has added other things from this installer to XProtect anti-malware signatures, but hasn’t removed Download Shuttle from the store, so that may be an indicator that it’s safe.
Pingback: Two Mac viruses strike at the heart of the platform's secure image - Resman - Network Support in Liverpool Resman – Network Support in Liverpool()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة | كل يوم فكرة()
Pingback: Why you shouldn’t freak out about this week’s scary-sounding Mac exploits | AppsGood()
Pingback: Crooks exploit public bug to plant adware on Yosemite Macs | Templar Shield()
Pingback: 1 – OS X sudoers exploit found in the wild | Offer Your()
Pingback: New zero-day attack threatens fully patched OS X | My Blog()
Pingback: 1 – OS X sudoers exploit found in the wild | Exploding Ads()
Gurki Thursday

Why should he make any attempt to contact Apple? It is Apple’s job to make sure their OS is a secure as possible. All this ‘responsible disclosure’ stuff just plays into the hands of the Secret Services such as NSA and GCHQ, since they probably know about it once Apple (or any other Software Company for that matter) gets ‘responsibly’ notified. Maybe they even know about some beforehand!

I think full disclosure is the only viable way to handle issues like this. The Companies just have to learn to be quick with their fixes, which they should be anyway! (I mean it is really annoying to see that 6 month after somebody ‘responsibly’ informed about a security issue and exactly nothing happens!! See for example Google’s project zero)

And I really dislike your accusatory tone as well!
foljs

“””I don’t understand why something he said in his blog post shouldn’t be taken to mean what it says.”””

Then you don’t understand reporting and verifying sources. Maybe you should abstain from it?
rickt

indeed! 1997 called, they wanted their LD_LIBRARY_PATH hacks back.
Pingback: In a huge move, IBM begins pitching Apple Macs for enterprise IT | Curious()
Pingback: Új biztonsági rés az OS X-ben - Androgeek()
Pingback: OS X sudoers exploit found in the wild | Your Security Source!!()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac - Printer Ink | Laptop Repair & Computer Repair San Diego Ca()
Pingback: Crooks exploit public bug to plant adware on Yosemite Macs | IT Hospital()
Mark Choi

The issue here is that the installer does NOT have to be authenticated for root permissions to modify sudoers. It is utilizing the DYLD_PRINT_TO_FILE vulnerability to write to the file without having to first get the proper, normally required login credentials. It is a serious issue, but the claim that there is nothing that can be done about it is nonsense. Just make a coy of the file and check it against the original from time to time.
Pingback: Engadget | Technology News, Advice and Features | Super Deal Shopper()
Pingback: Apple will patch the DYLD bug in its next OS X release | Super Deal Shopper()
Pingback: OS X 严重漏洞，让骇客无需密码即可攻击 Mac 电脑 | 天蓝()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Blog Hub()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Dennis Nadeau Complaint Blog()
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | News()
Pingback: A Week in Security (Aug 02 – Aug 08) | Malwarebytes Unpacked()
Pingback: Crooks exploit public bug to plant adware on Yosemite Macs - IT Aid Centre()
Pingback: What you should know about the OS X flaw - GadgeTell | TechnologyTell()
Pingback: Zero-Day Exploit Can Completely Brick Your Mac | Jason Sojka()
Pingback: Apple 将在下一版 OS X 更新中修复 DYLD 漏洞 | 虎扑()
Pingback: Adware affects Mac users - ExpressVPN()
Pingback: Apple исправила важную уязвимость в OS X()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | PSD Total()
Pingback: Apple исправила важную уязвимость в OS X - Терещенко. Просто. Профессионально()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Chup Anh Cuoi Gia ReChup Anh Cuoi Gia Re()
Pingback: OS X flaw leaves Macs vulnerable to attacks, no password required | Cikkek()
Pingback: 0-day bug in fully patched OS X comes under active exploit to bypass password protection » Apssites()
Grace

I know I’m a little late to this discussion, but I don’t completely understand how this vulnerability works? Today while browsing, I clicked a bad link (it had at least two redirects, both to gibberish URLs), and I immediately thought of this, along with the firmware vulnerability from about two weeks ago. Is it possible something this serious (or as serious as the firmware thing) could be downloaded just by clicking a bad link, or does it actually require you to install an application, such as the adware installer mentioned?

I’m a pretty cautious downloader, and only download from the App Store or a developer’s website, but the handful of times I’ve gotten bad redirects, it scares the heck out of me, because I don’t know if nothing happened, if something “minimal” happened (such as adware being installed), or if I should worry about something like my root privileges being taken advantage of or a worm spreading from my computer to everyone else’s.

Any help from someone more well-versed in this would be sincerely appreciated!
Pingback: New Zero-Day Exploit Can Completely Brick Your Mac | Boxkondee.com()
Pingback: Apple исправила важную уязвимость в OS X | Malanris's site()
Pingback: Apple fixed the vulnerability in OS X | Voice of America()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered | Tech Feed - CPN DEV()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered - iOS Gears()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered | TheApplePips.com()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered - George Nicolaou()
Pingback: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered | DoFollowMe()
Pingback: Descubierta nueva vulnerabilidad que afecta a OS X 10.10.5 - Applelizados()
Pingback: [GadgeTell] What you should know about the OS X flaw | WWE Battleground Results, WWE Superstars and WWE Wallpapers! | All about Divas, Superstars, News and Tournaments!()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Hack3r Club()
Pingback: Ce que vous devez savoir sur Les Failles de MAC OSX | 01News()
Pingback: Newly discovered Mac malware tarnishes Apple’s security credentials | Maitland Business Tax()
Pingback: Newly discovered Mac malware tarnishes Apple’s security credentials | Best Cloud Accounting()
Pingback: LUXURY ART | OS X flaw leaves Macs vulnerable to attacks, no password required()
Pingback: Genieo installer tricks keychain | Malwarebytes Unpacked()
Pingback: The Safe Mac » Genieo installer tricks keychain()
Pingback: Genieo installer tricks keychain | vyagers()
Pingback: Twin Cities Mac Admins » Meetup notes – August 26, 2015()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Expl0itsExpl0its()
Pingback: Cloud Accounting Support()
Pingback: Apple:DYLD_PRINT_TO_FILE & sudoers Exploit: What are the markers in the sudoers file? – Apple Questions()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Daily Hackers News()
Pingback: ثغرة خطيرة في نظام OS X 10.10 أصبحت مستغلة | تقدر TEQDAR()
Pingback: Attackers exploit the Privilege Escalation 0-day in Mac | Hackers Talks()
Pingback: Archive News of the Week - Practical Help for Your Digital Life®()
Pingback: DYLD_PRINT_TO_FILE exploit found in the wild | BSD Systems()
Pingback: Unpatched Mac OS X Zero-day Bug Allows Root Access Without Password - Science and Technology - hettiginteractive.com()

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 15 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 8 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 3 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Thomas Reed
Director of Mac Offerings

Had a Mac before it was cool to have Macs. Self-trained Apple security expert. Amateur photographer.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

SEARCH LABS

TOP POSTS