Hackers actively exploiting OS X zero-day to root machines, deliver adware
“Attackers are actively exploiting a zero-day privilege escalation vulnerability affecting the latest version of Apple’s OS. The bug’s existence has been publicly revealed last month by Security researcher Stefan Esser.
The flaw, which is present in OS X 10.10.4 and the beta of OS X 10.10.5, but has been fixed in the beta of the upcoming OS X 10.11, allows them to silently saddle victims with unwanted adware and malware.
This is because it allows attackers to open or create arbitrary files owned by the root user anywhere in the file system.
The attack was unearthed by Malwarebytes researcher Adam Thomas, who analyzed a new adware installer and discovered that his sudoers file had been modified.
“For those who dont know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password,” Malwarebytes’ Thomas Reed explained.
The app in question is VSInstaller, which would install the VSearch adware, a variant of the Genieo adware and the MacKeeper junkware, and would finally direct users to the Download Shuttle app on the Mac App Store, in the hopes that the user would find it interesting and download it.
Until Apple pushes out a fix for this flaw, users can protect themselves against this type of attack by installing Esser’s kernel extension that implements several mitigations for weaknesses involving SUID/SGID binaries (including the one exploited in this attack).”