A security researcher has published a zero-day vulnerability found in the newest versions of OS X Yosemite apparently out of protest to Apple’s irresponsible behavior when it comes to patching its software for vulnerabilities.
In a post published on his blog (to which we have deliberately not provided a link for security reasons), researcher Stefan Esser unveils a privilege escalation vulnerability connected to a new environment variable DYLD_PRINT_TO_FILE that has been added to the dynamic linker dyld. This variable does not come with safeguards, such as those that would reject all environment variables passed to it in the case of restricted files.
“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not openes with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege escalation.”
Esser then goes on to provide a proof of concept for the bug, which is a local exploit. The most common types of scenarios in which these bugs are exploited involve malicious app developers who want to elevate privileges without requiring the user to enter a system password or exploit developers having the ability to execute malicious code as a regular user but not as a root user.
“Local exploits are considered less dangerous than remote exploits,” well-known OS X security researcher Pedro Vilaca told Ars Technica. “Still, they can be extremely useful in many scenarios. Local exploits in OS X are by the dozen. It seems everyone has a few.”
Back in October, a Swedish security researcher discovered another privilege escalation vulnerability in OS X Yosemite shortly after its release to users.
According to a Tweet written by Esser, Apple was made aware of this newest vulnerability months ago but patched it only in its El Capitain Beta while leaving Yosemite versions 10.10.4 and the beta of 10.10.5 affected. This, in turn, prompted Esser to go public with the vulnerability.
So Apple was informed about said bug months ago and as usual did the irresponsible to fix it for some beta half a year in the future only.
— Stefan Esser (@i0n1c) July 22, 2015
But if Esser meant to target Apple, his actions may have missed their mark.
“It’s not about Apple. It’s about people who happen to use Apple’s products,” one Reddit user wrote in response to Esser’s disclosure. “The publication of this vulnerability doesn’t hurt Apple (much). It mostly just hurts users.”
It is unclear whether Esser actually practiced responsible disclosure and revealed the vulnerability to Apple at some point in time.
While Apple works to patch the issue, Esser has released SUIDGuard, a TrustedBSD Kernel Extension that is said to fix the vulnerability. The tool can be downloaded from GitHub here.