Mac OS X Bug Opens A Pathway For Adware - InformationWeek
IoT
IoT
Software // Operating Systems
News
8/7/2015
08:36 AM
50%
50%

Mac OS X Bug Opens A Pathway For Adware

An exploit of privilege settings in Apple's Mac OS 10.10 can leave users vulnerable to adware.

10 Must-Have Mac OS X Apps
10 Must-Have Mac OS X Apps
(Click image for larger view and slideshow.)

While the details of the latest vulnerability to the Mac OS 10.10 are esoteric, Malwarebytes has found an adware installer already using this exploit in the wild.

The latest security problem for Mac OS originates in the code that Apple wrote in the 10.10 system software that bypasses the kinds of privilege checking done in other parts of the OS. With this code, Apple provided a way for exploiters to gain root access to OS X. Root access allows them to execute whatever code they want without hindrance.

Security researcher Stefan Esser wrote in his July 7 blog about a privilege escalation exploit associated with the DLYD_PRINT_TO_FILE environment variable. This variable allows the system to push output to a file other than the usual standard error (stderr) one. This is the part of Apple's system code where the lack of file checking occurred.

[ It's never as good as it seems. Read Shadow IT: It's Much Worse Than You Think. ]

What happened to allow this? Basically, the revisions that Apple made in OS X 10.10 to the dynamic linker (dyld) process were faulty. In that version of the OS, any changes that happened to the dynamic linker (such as changing where the output goes) did not invoke the usual safeguards built into the OS for checking file privileges.

The usual file checking occurs when any environment variables associated with the dynamic linker are passed to the processDyldEnvironmentVariable() function. This function checks what kinds of files are present before they are added to the linked list that dyld uses to set up what actually gets run. But, in OS X 10.10 the variable was added in the _main part of the dyld program. Putting it there bypassed the processDyldEnvironmentVariable() function.

And therein lies the problem. Without a check of what kind of file was being created, any kind of files (even ones that should be restricted) would be linked together and executed. A restricted file includes those that have root access to the system. As noted before, root access allows a file to execute any code that it specifies. If that file is an attack, the file then has an easy time doing the attack and erasing the trail produced by the attack.

Halishadow/iStockphoto

Halishadow/iStockphoto

Esser does provide a patch, however. It is not for the fainthearted, since it requires compilation. Its source can be found in the Github repository..

The exploit found by Malwarebytes is hidden in an adware installer the firm was researching. The adware installer script modified the sudoers file, which determines which users and commands have root access to the system. The exploit turns off the usual password required for changes to this file.

Malwarebytes' Thomas Reed wrote in a wrote in a blog post that the adware’s script then uses sudoer's new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer's disk image. Reed wrote: "For those who don't know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password. This basically gives adware full root permissions, and thus the ability to install anything, anywhere."

The VSInstaller app is responsible for installing the VSearch adware program that delivers pop-up ads, and also installs a toolbar. It has been identified as malicious by Apple. In addition to installing VSearch, the installer also creates a variant of the Genieo adware and the MacKeeper junkware.

As its final operation, it directs the user to the Download Shuttle app on the Mac App Store. The affected system then has two programs cramming it full of unwanted ads, and an unwanted referral to a product. The adware can be removed using instructions on Malwarebytes site.

Apple knows about this exploit. Esser reported it before he went public, and Tweeted that the July 30 build of OSX 10.10.5 is fixed. This means it should hit the general public soon.

The upcoming version of OS X (10.11) handles root access in a very different manner and this kind of exploit will not work. What Apple causes, it eventually fixes.

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
8/8/2015 | 9:17:22 PM
Re: Apple fixes
I agree  -  actually Apple should think about how to prevent the root caus from happening. Making the fix is good but the upgrade of OS on mobile device is rather slow. Many end users even do not have the mindset to keep OS version up to date. So the best  strategy is still keeping the problem from happening before the OS is released.
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/8/2015 | 4:09:06 PM
Re: Apple fixes
Well, if you assume that the system can't be broken even if your attacker knows what is in plain sight, yes.

From Wikipedia: "In cryptographyKerckhoffs's principle (also called Kerckhoffs's desiderataKerckhoffs's assumptionaxiom, or law) was stated by Auguste Kerckhoffs in the 19th century: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge."
soozyg
50%
50%
soozyg,
User Rank: Ninja
8/8/2015 | 3:56:43 PM
Re: Apple fixes
Interesting, so hiding something in plain sight could be a tactic here?
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/8/2015 | 3:47:01 PM
Re: Apple fixes
Yup. A Polish count stated it first. 

You can't be assured of security just becuase you hide something.

It's the basis of why public key cropto works in the first place. You have to find a secure method that will work even if your attacker knows something that you hide.
soozyg
50%
50%
soozyg,
User Rank: Ninja
8/8/2015 | 2:32:54 PM
Re: Apple fixes
@larryloeb, ah, that's why I rarely see you. 3p EST is not doable for me these days, I'm usually running around with the kids after camp or school. I think I have been to one event in the last 2 months.

Security through obscurity?
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/8/2015 | 1:53:51 PM
Re: Apple fixes
Hey soooooooooooooz. I hang at the Friday afernoon chats, come by and get insulted.

That has always been the question: let them know and thereby encourge exploiting or just shut up and hope for security through obscurity. The balance has shifted lately, becasue someone always finds out and talks.

And one of the principal tenets of modern security is that security through obscurity never works.
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/8/2015 | 1:49:20 PM
Re: Apple fixes
The next big upgrade (10.11) is reportedly using a "root-less" system, unlike most Unix systems. (OS X has been based on  the MACH flavor of Unix since Steve Jobs bought the rights to it for his NeXT box.)

The exact specs of this security are still NDAed, so we have to wait for it to show up to see what is under the hood.
soozyg
50%
50%
soozyg,
User Rank: Ninja
8/8/2015 | 1:41:43 PM
Re: Apple fixes
@LarryLoeb long time no see.

The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

Isn't there a balance between talking to the public about a hole vs letting the pubilc know so users can fix it?
danielcawrey
50%
50%
danielcawrey,
User Rank: Ninja
8/8/2015 | 12:08:13 PM
Re: Apple fixes
I wonder why Apple would allow this type of root access to the system. There must have been a reason for doing this, and I'm sure we'll never fully understand why. 
larryloeb
50%
50%
larryloeb,
User Rank: Author
8/7/2015 | 7:35:15 PM
Re: Apple fixes
So far, anyway.

They even pushed out a security fix (for the NNTP problem) that got instaled whether you want it or not.

Only time that has happened since 1984 that I know of.
Page 1 / 2   >   >>
News
Don't Collect Biometric Data Without Providing Notice
Lisa Morgan, Freelance Writer,  2/1/2019
Commentary
AI and the Next Recession
Guest Commentary, Guest Commentary,  1/24/2019
Commentary
The Title Machine Learning Engineer Will Start to Disappear
Guest Commentary, Guest Commentary,  2/7/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Security and Privacy vs. Innovation: The Great Balancing Act
This InformationWeek IT Trend Report will help you better understand and address the growing challenge of balancing the need for innovation with the real-world threats and regulations.
Slideshows
Flash Poll