Hackers are Exploiting an OS X Flaw to Install Tricky Adware
A security flaw in an operating system is dangerous, but a security flaw that’s being actively exploited in the wild, and for which there is no official fix, is much more problematic.
That’s exactly what’s happening to Apple’s latest version of OS X, according to security company Malwarebytes. An OS X security flaw detailed in July by security researcher Stefan Esser allows an attacker to install software on a user’s computer without permission or password. Now, Malwarebytes researcher Thomas Reed has encountered an exploit that takes advantage of this flaw, installing VSearch and Genieo adware as well as MacKeeper junkware — in short, software that you don’t want on your computer, ever.
The exploit takes advantage of a vulnerability in an environment variable DYLD_PRINT_TO_FILE in OS X 10.10.x, which is normally used for error logging. According to Esser, the vulnerability has been fixed in the OS X 10.11 beta versions, but is not fixed in the current version — OS X 10.10.4 — nor in the 10.10.5 beta version.
Update: According to a tweet from Esser, Apple did fix the vulnerability in OS X 10.10.5 beta 2 version.
Looks like dropping DYLD_PRINT_TO_FILE exploit resulted in Apple having fixed it in OS X 10.10.5 beta “2” – suddenly they can work “faster”
— Stefan Esser (@i0n1c) July 31, 2015
Furthermore, Apple has confirmed to Mashable that the vulnerability has indeed been fixed in a new OS X 10.10.5 beta version. There’s no word, however, on when a full version of OS X 10.10.5 will be released to the public.
Reed claims Esser’s behavior was irresponsible, as he publicly revealed the flaw without notifying Apple first. And while Esser created his own software that he claims fixes the issue, Reed advises against using it.
“There is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest,” he wrote in a blog post.