Over the last month, two newly disclosed OS X threats have been getting some press.
The first hasn’t been given a catchy nickname, but most sites are referring to it as the DYLD_PRINT_TO_FILE privilege escalation vulnerability. What’s curious about this one is that a Malwarebytes researcher posted to his blog that it was being actively exploited in the wild. The details were extremely vague, but supposedly some Mac users were tricked into downloading/installing an app with a faked Apple Developer ID, the app exploited the DYLD_PRINT_TO_FILE vulnerability to modify the /etc/sudoers file, then subsequently installed VSearch (adware) and MacKeeper (junkware) WITHOUT prompting the user to authenticate during the installs.
I’ve spend some time researching this DYLD_PRINT_TO_FILE threat, and learned that a lot of people in the security world are questioning the validity of the Malwarebytes researcher’s claim. The named of the app with the faked Apple Developer ID was never mentioned. It can’t be reproduced now because Apple apparently revoked the Developer ID. The whole thing sounds like complete FUD to me.
But none the less, the DYLD_PRINT_TO_FILE threat is legit. The good news is that this vulnerability only exists in OS X 10.10 Yosemite, and Apple included a patch for it in the recent OS X 10.10.5 update!
The second OS X vulnerability that has been getting press recently is nicknamed Thunderstrike 2. This proof-of-concept is really nasty, potentially spreading via infected firmware on Thunderbolt devices. The original Thunderstrike was disclosed in January 2015, but required someone to manually manipulate the firmware on the Thunderbolt device (evil maid attack). Apple included a patch for it in the OS X 10.10.4 update. Thunderstrike 2 takes this vulnerability further by introducing a method for the Thunderbolt firmware to be hacked “via a phishing e-mail and malicious Web site”.
So here’s what you need to know about Thunderstrike 2… It has not be exploited in the wild, and it is dependent on the DYLD_PRINT_TO_FILE privilege escalation vulnerability. Because only Macs running Yosemite OS X 10.10 have this vulnerability, if you update to OS X 10.10.5 you are safe from both Thunderstrike 2 and the DYLD_PRINT_TO_FILE privilege escalation… but in my opinion neither are active threats to be concerned about.