Crooks exploit public bug to plant adware on Yosemite Macs

The vulnerability installs adware and junkware, but so far hasn't been exploited for more serious attacks.

A vulnerability in OS X Yosemite that went public last month is being used by cyber criminals to plant adware on Macs, a security researcher said today.

"As far as we've been able to determine, it just installs adware and junkware," said Thomas Reed, director of Mac offerings at Malwarebytes, a San Jose, Calif. security firm. "It's annoying, but not malicious."

That's not to say the vulnerability isn't serious: The same group, or others, could easily leverage the vulnerability to infect Macs with more substantial attack code, Reed said.

The vulnerability -- which is Yosemite-specific -- was publicly disclosed last month by German researcher Stefan Esser, who also posted exploit code. According to a Korean researcher who goes by the nickname "beist" on Twitter, the bug had been reported to Apple before Esser revealed the flaw.

Esser took heat from some quarters for not informing Apple before publishing his findings.

Malwarebytes' Adam Thomas found the vulnerability exploit in the wild after examining an adware installer, which used the escalation of privilege flaw to drop its payload without the user's knowledge. Mac users are typically required to enter an administrator password before installing code to their systems.

"The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password," wrote Thomas in an Aug. 3 blog.

sudoers is a Unix file that, among other things, determines which users have "root" permissions in a Unix shell. The change to sudoers "gives any user, even guest users, rights to write to any file," said Reed of Malwarebytes.

The adware installer that monkeys with sudoers is delivered as a Trojan horse, Reed added, which poses as a file download utility.

Although Reed said Malwarebytes did not have enough data to describe the extent of the campaign waged against Yosemite-powered Macs, he did say that the vulnerability was being put to work by adware shillers.

"Malware itself is very rare on Macs," Reed acknowledged. "What's not so rare is adware. There's an adware epidemic right now. Almost every day we see new adware coming to the Mac."

"Adware" is the broad definition for malicious code that displays unwanted or unauthorized ads when people browse to websites; the ads are often in the form of irritating pop-ups.

The bug is limited to Yosemite, aka OS X 10.10, which is used by about 62% of all Mac owners, according to the latest statistics from analytics vendor Net Applications.

Neither OS X El Capitan (10.11), the upgrade now in testing that will launch in the next few months, or Yosemite 10.10.5 -- an update also in beta -- contain the vulnerability, Reed said, signaling that Apple has patched the bug.

Yosemite 10.10.5, likely the final non-security update for the 2014 OS, will be released several weeks before Apple ships El Capitan.

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityMalwarebytestwitter

More about AppleMacsMalwarebytesTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts