In-the-wild attack exploits unpatched OS X zero-day vulnerability

Evil Apple Last month, security researcher Stefan Esser published details and proof-of-concept code of a zero-day vulnerability in OS X Yosemite that could allow a hacker to easily escalate their privileges, and take complete control over Mac computers.

Esser chose not to contact Apple about the DYLD_PRINT_TO_FILE vulnerability – which remains currently unpatched in OS X Yosemite, despite it curiously being fixed in the beta version of the next iteration of OS X, El Capitan.

Now, security firm Malwarebytes has discovered an in-the-wild attack exploiting the vulnerability, where root permission is gained on the computer without a password being needed.

According to the firm, the attack installs a version of the VSearch and Genio adware, alongside a copy of the controversial MacKeeper app.

Sign up to our free newsletter.
Security news, advice, and tips.

The VSearch adware is frequently hidden within installers for bogus video streamers. Once it has got its claws into your Mac, you will find yourself pestered by pop-up adverts and find your online searches redirected to a different search engine to generate revenue for the attackers.

As a final flourish, according to Thomas Reed of Malwarebytes who analysed the latest attack, users are being directed to an app called Download Shuttle app in the Mac App Store.

Download Shuttle on the Mac App store. Source: Malwarebytes
Download Shuttle on the Mac App store. Source: Malwarebytes

It’s worrying to see the vulnerability is now being exploited by bad guys, and the lack of response so far from Apple as to how they expect Yosemite users to protect themselves.

Right now, with no fix currently available from Apple itself, your best course of action may be to trust Stefan Esser – the same guy who made the vulnerability public in the first place.

Esser’s firm SektionEins has released a kernel extension called SUIDGuard that protects computers from the threat. You can download its source code from GitHub.

For more information on the latest attack, check out Thomas Reed’s post on the Malwarebytes blog.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.

Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “In-the-wild attack exploits unpatched OS X zero-day vulnerability”

  1. Coyote

    As I pointed out over on Intego, it is a marketing ploy on his part (ignoring the part about sincerity and more professional way would be hosting the fix on his server).

    He doesn't contact Apple, he offers his own fix, explains the exploit (which many wouldn't understand… I do because I'm familiar with Unix system programming etc., but the average users wouldn't) then before showing a POC exploit, he has:

    "Before I share a working POC exploit for this problem with you, let me finish this post by highlighting that SektionEins is organizing several OS X and iOS related trainings later this year. If you enjoyed this blog post then especially the OS X and iOS Kernel Internals for Security Researchers Training* in October should be of interest for you."

    … all of which is a sneaky and pathetic way of advertising his organisation. I'm not even going to discuss Apple here or even 0-day exploits: the problem here is how is abusing a flaw in order to get customers (even if they are free – I don't know if they are – the fact is it brings them attention). That is self-centred and manipulative.

  2. Wayne

    Finds an exploit + doesn't tell the vendor + publishes details of said exploit = lack of ethics in my book. Whatever beef he has is Apple is one thing, why carry it over to Apple users?

  3. Bryan

    Maybe just don't download a notoriously questionable piece of software? Just sayin'.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.