August has been quite the month for vulnerabilities and especially zero-days. Everything from Android to Apple was affected, and now researchers have disclosed yet another zero-day vulnerability in Apple’s OS X 10.10 Yosemite operating system. The latest exploit allows attackers to install malware and gain root access to the system with zero administrative privileges.
The latest zero-day stems from a previous issue in DYLD which Apple moved quick to issue a patch for the DYLD_PRINT_TO_FILE vulnerability in a new OS X point release.
Apple moved fast to patch a recent zero-day in DYLD, however the patch issued supported a new DYLD_PRINT_TO_FILE variable which security researcher Stefan Esser said lacked “safeguards” that are generally put in place when new variables are introduced to the DYLD.
“Normally for security reasons the dynamic linker should reject all environment variables passed to it in case of restricted files. This is automatically handled when new environment variables are added to the processDyldEnvironmentVariable() function,” Esser wrote in a July report. “However in the DYLD_PRINT_TO_FILE case the code was directly added to the _main function of dyld.”
Now Italian researcher Luca Todesco has discovered a new zero-day vulnerability in Mac OS X affecting the latest v10.10.5 Yosemite update. Following his immediate discovery, he posted his findings to Twitter, disclosing:
this is on 10.10.4 but 10.10.5 should't make a difference. pic.twitter.com/dFTiTcUm06
— Luca Todesco (@qwertyoruiop) August 15, 2015
Todesco released his exploit on Github which relies on a combination of attacks including a null pointer dereference in the I/O Kit open-source framework which allows developers to write device drivers for Apple’s OS X and iOS operating systems, with the ability of dropping a proof-of-concept payload into a root shell. Todesco did say the vulnerability may have been mitigated in Apple OS X El Capitan, due to its latest “rootless” security feature.
The zero-day vulnerability allows attackers root access to a wide range OS X builds including 10.10, 10.10.1, 10.10.2, 10.10.3, 10.10.4, or 10.10.5 if the machine is not using a password.
Todesco did not happen to responsibly disclose the vulnerability to Apple and has instead released it public. We are hopeful Apple will release a patch, however, the company took a little less than a month to patch the old DYLD vulnerability.
As the vulnerability is still fresh, we urge all Macbook owners to keep an eye on who is around your laptop and stay safe.