Zero-day OS X bug revealed in July already exploited in the wild

Shutterstock

A 'zero-day' bug discovered in the latest version of Mac OS X has been exploited by real-world malware before Apple has been able to release a patch.

The problem, revealed in public last month by security researcher Stefan Esser, relates to features designed to log errors introduced in OS X 10.10. The code lacks safeguards that would prevent hackers being able to create files with destructively wide-ranging privileges, anywhere in the OS. If exploited, the flaw known as 'DYLD_PRINT_TO_FILE' would give hackers the ability to install anything on an OS X system without using a password, opening up seemingly endless types of potential fraud.

At the time it was released, the exploit was purely hypothetical. Not any more: Malwarebytes reports the flaw has already been exploited for real.

In a blog post Malwarebytes' Adam Thomas claims to have discovered a malicious installer that was able to install VSearch and MacKeeper junk programs without needing a password. "This is obviously very bad news," he writes. "Unfortunately, Apple has not yet fixed this problem, and now it is beginning to bear fruit."

The hope among researchers was that Apple would be able to fix the bug before the hackers used it. Esser even released his own kernel extension to protect against the attacks, though installing that comes with obvious risks.

Esser incurred criticism for releasing the news, because reports suggest he did not tell Apple before making the release public, as is standard amongst security researchers. Esser has rejected the criticism, saying that Apple should be blamed, not himself for simply releasing news of the bug.

As it turns out, Apple knew about the flaw already -- another researcher had clued them in and not made it public -- and the exploit does not work in beta versions of OS X 10.11, suggesting a fix is on the way for other versions of 10.10. As of now, though, any OS X user remains vulnerable. "Worse, there is no good way to protect yourself, short of installing Esser's software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest," Thomas writes. "Hopefully, this discovery will spur Apple to fix the issue more quickly."

Apple has not yet commented on the bug, but we will update this post when a fix has been released.

This article was originally published by WIRED UK