Yesterday it came to light that a new OS X bug is being exploited, allowing attackers to install malware on a Mac without needing any system passwords. Now, Apple has announced that it will fix the bug ‘as soon as possible.’
The Guardian reports that Apple will include a patch for the privilege escalation bug in the next security update for OS X, 10.10.5. Initially, some were concerned that a lack of a fix in existing beta versions of the 10.10.5 update would leave Macs vulnerable until the next major iteration of the OS, El Capitan, was released. But Apple reassures the newspaper that a fix will roll out sooner. The company has also taken the precaution of blacklisting apps that are known to use the exploit, which may help save some people from attacks due to the vulnerability.
Along with the world’s first firmware worm for Mac, these new security threats raise some concerns about once-heralded the security benefits of Apple’s systems.
[Guardian]
Image by Björn Olsson under Creative Commons licence.
A new bug in the latest, fully patched version of OS X is being exploited by hackers. The vulnerability allows attackers to install malware on a Mac without needing any system passwords.
Hot on the heels of the world’s first firmware worm for Mac, Ars Techinca reports that a bug first identified last week is now being exploited in the wild by hackers. The issue is a result of a new error-logging feature in OS X, which can be exploited by nefarious developers to create files with root privileges that can sit anywhere in the OS X file system.
That, as you may have realised, is a Bad Thing. Yesterday, researchers from anti-malware firm Malwarebytes announced that they’d identified a malicious installer in the wild that was exploiting the vulnerability to install malware without any need for a password. They explain in a blog post:
For those who don’t know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.
The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.
Then the script uses sudo’s new password-free behaviour to launch the VSInstaller app, which is found in a hidden directory on the installer’s disk image, giving it full root permissions, and thus the ability to install anything anywhere.
So, umm, that’s bad. The flaw can be found in current, fully patched 10.10.4 version of OS X, but isn’t present in a beta version of 10.11 — which suggests that Apple developers knew it was a problem. However, until Apple releases a fix, there aren’t many good options. There is a third-party patch available online, but installing that is probably not the best of ideas.
Instead, it’s probably best to wait until Apple developers release an official patch — so be sensible out there on the internet for now.
[Malwarebytes via Ars Technica]
Image by Björn Olsson under Creative Commons licence.