Crooks exploit public bug to plant adware on Yosemite Macs

Apple has patched the vulnerability in El Capitan and the latest Yosemite update, both now in beta testing

yosemite el capitan
Nick Barber

A vulnerability in OS X Yosemite that went public last month is being used by cyber criminals to plant adware on Macs, a security researcher said today.

"As far as we've been able to determine, it just installs adware and junkware," said Thomas Reed, director of Mac offerings at Malwarebytes, a San Jose, Calif. security firm. "It's annoying, but not malicious."

That's not to say the vulnerability isn't serious: The same group, or others, could easily leverage the vulnerability to infect Macs with more substantial attack code, Reed said.

The vulnerability -- which is Yosemite-specific -- was publicly disclosed last month by German researcher Stefan Esser, who also posted exploit code. According to a Korean researcher who goes by the nickname "beist" on Twitter, the bug had been reported to Apple before Esser revealed the flaw.

Esser took heat from some quarters for not informing Apple before publishing his findings.

Malwarebytes' Adam Thomas found the vulnerability exploit in the wild after examining an adware installer, which used the escalation of privilege flaw to drop its payload without the user's knowledge. Mac users are typically required to enter an administrator password before installing code to their systems.

"The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password," wrote Thomas in an Aug. 3 blog.

sudoers is a Unix file that, among other things, determines which users have "root" permissions in a Unix shell. The change to sudoers "gives any user, even guest users, rights to write to any file," said Reed of Malwarebytes.

The adware installer that monkeys with sudoers is delivered as a Trojan horse, Reed added, which poses as a file download utility.

Although Reed said Malwarebytes did not have enough data to describe the extent of the campaign waged against Yosemite-powered Macs, he did say that the vulnerability was being put to work by adware shillers.

"Malware itself is very rare on Macs," Reed acknowledged. "What's not so rare is adware. There's an adware epidemic right now. Almost every day we see new adware coming to the Mac."

"Adware" is the broad definition for malicious code that displays unwanted or unauthorized ads when people browse to websites; the ads are often in the form of irritating pop-ups.

The bug is limited to Yosemite, aka OS X 10.10, which is used by about 62% of all Mac owners, according to the latest statistics from analytics vendor Net Applications.

Neither OS X El Capitan (10.11), the upgrade now in testing that will launch in the next few months, or Yosemite 10.10.5 -- an update also in beta -- contain the vulnerability, Reed said, signaling that Apple has patched the bug.

Yosemite 10.10.5, likely the final non-security update for the 2014 OS, will be released several weeks before Apple ships El Capitan.

This story, "Crooks exploit public bug to plant adware on Yosemite Macs" was originally published by Computerworld.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)