Skip to content ↓ | Skip to navigation ↓

A security researcher has published a zero-day vulnerability found in the newest versions of OS X Yosemite apparently out of protest to Apple’s irresponsible behavior when it comes to patching its software for vulnerabilities.

In a post published on his blog (to which we have deliberately not provided a link for security reasons), researcher Stefan Esser unveils a privilege escalation vulnerability connected to a new environment variable DYLD_PRINT_TO_FILE that has been added to the dynamic linker dyld. This variable does not come with safeguards, such as those that would reject all environment variables passed to it in the case of restricted files.

“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not openes with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege escalation.”

Esser then goes on to provide a proof of concept for the bug, which is a local exploit. The most common types of scenarios in which these bugs are exploited involve malicious app developers who want to elevate privileges without requiring the user to enter a system password or exploit developers having the ability to execute malicious code as a regular user but not as a root user.

“Local exploits are considered less dangerous than remote exploits,” well-known OS X security researcher Pedro Vilaca told Ars Technica. “Still, they can be extremely useful in many scenarios. Local exploits in OS X are by the dozen. It seems everyone has a few.”

Back in October, a Swedish security researcher discovered another privilege escalation vulnerability in OS X Yosemite shortly after its release to users. You can read about it here.

According to a Tweet written by Esser, Apple was made aware of this newest vulnerability months ago but patched it only in its El Capitain Beta while leaving Yosemite versions 10.10.4 and the beta of 10.10.5 affected. This, in turn, prompted Esser to go public with the vulnerability.

But if Esser meant to target Apple, his actions may have missed their mark.

“It’s not about Apple. It’s about people who happen to use Apple’s products,” one Reddit user wrote in response to Esser’s disclosure. “The publication of this vulnerability doesn’t hurt Apple (much). It mostly just hurts users.”

It is unclear whether Esser actually practiced responsible disclosure and revealed the vulnerability to Apple at some point in time.

While Apple works to patch the issue, Esser has released SUIDGuard, a TrustedBSD Kernel Extension that is said to fix the vulnerability. The tool can be downloaded from GitHub here.

Tripwire University
  • Matt H

    What a relief; all my OS X systems are running the El Capitan Beta…

    So, what is the model for responsible disclosure? How do you pressure any vendor to correct security flaws without some element of public condemnation? Do you start with disclosing the CVSS (or some other metric) severity of the flaw and the vendor, wait a month and disclose the product, wait another month and disclose the module, etc.

    Maybe there should be legal penalty to put a monetary value on flaws that multiplies the flaw severity times the number of instances implemented on the web. Funds collected could support patches released before exploitation (maybe even from the same vendor). Of course, if there were such a penalty, who pays if the flaw is in public domain software?