Mac OS X root privileges zero-day under active exploit

Attackers are exploiting a recently-disclosed zero-day vulnerability in the current version of Apple's OS X to install adware applications without a system password, according to researchers. 

Image credit: Malwarebytes

Earlier this month security researcher Stefan Esser publicly disclosed the privilege-escalation bug, which stems from error-logging features that Apple introduced in OS X 10.10. He did not report the bug to Apple prior to public disclosure.

The bug arose because standard safeguards that are required when adding support for new environment variables to the dyld dynamic linker weren't used.

It means attackers can open or create files with root privileges that can live anywhere in the OS X file system, even in areas normally out of bounds to those who aren't superusers.

Researchers from anti-malware company Malwarebytes today said the vulnerability was now being actively exploited by a malicious installer that when run is infecting Macs with several types of adware.

The Vsearch and Geneio adware and MacKeeper junkware are installed, along with the Download Shuttle file downloader app, without user interaction.

Malwarebytes researcher Adam Thomas discovered the exploit after finding the installer had modified the sudoers configuration file - this determines in UNIX-like systems who can get superuser permissions and is for security reasons inaccessible to standard users.

The firm said the modification to sudoers allowed the VSInstaller app to gain root permissions via running a shell script, without needing to enter a password.

"Part of the script involves deleting itself when it’s finished," the firm wrote in a blog post.

"The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.

"Then the script uses sudo's new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer’s disk image, giving it full root permissions, and thus the ability to install anything anywhere. (This app is responsible for installing the VSearch adware)."

According to Esser's earlier disclosure, the flaw is present in the current OS X 10.10.4 version of the operating system, but had been fixed in 10.10.5.

Apple is yet to provide a fix for the problem for versions of OS X prior to 10.10.5, meaning users can only protect themselves by using a mitigation created by Esser - which Malwarebytes said raised some "serious questions about ethics and conflict of interest".