A new bug in the latest, fully patched version of OS X is being exploited by hackers. The vulnerability allows attackers to install malware on a Mac without needing any system passwords.
Hot on the heels of the world’s first firmware worm for Mac, Ars Techinca reports that a bug first identified last week is now being exploited in the wild by hackers. The issue is a result of a new error-logging feature in OS X, which can be exploited by nefarious developers to create files with root privileges that can sit anywhere in the OS X file system.
That, as you may have realized, is a Bad Thing. Yesterday, researchers from anti-malware firm Malwarebytes announced that they’d identified a malicious installer in the wild that was exploiting the vulnerability to install malware without any need for a password. They explain in a blog post:
For those who don’t know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.
The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.
Then the script uses sudo’s new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer’s disk image, giving it full root permissions, and thus the ability to install anything anywhere.
So, umm, that’s bad. The flaw can be found in current, fully patched 10.10.4 version of OS X, but isn’t present in a beta version of 10.11 — which suggests that Apple developers knew it was a problem. However, until Apple releases a fix, there aren’t many good options. There is a third-party patch available online, but installing that is probably not the best of ideas.
Instead, it’s probably best to wait until Apple developers release an official patch—so be sensible out there on the internet for now.
Image by Björn Olsson under Creative Commons license.