Mac Zero-Day DYDL Exploits are Real, Apple Fix Coming Soon

It's been a scary week for Apple security thanks to Thunderstrike 2 and now DYLD. The former is a proof of concept that poses little real world risk, but the second can is being exploited now to install adware on victim's Macs. A fix is on the way, and will be part of the OS X 10.10.5 update due out soon.

DYLD bug lets attackers install adware on your Mac without permissionDYLD bug lets attackers install adware on your Mac without permission

The DYLD_PRINT_TO_FILE exploit takes advantage of the error logging system and dynamic linker dyld in OS X 10.10 in a way that lets attackers install files with root privileges. Attackers can install files on your Mac without needing a password, and once there, they have unfettered access to your system.

The security research firm Malwarebytes said attackers are using the exploit to install the VSearch adware package. The company went on to say,

In addition to installing VSearch, the installer will also install a variant of the Genieo adware and the MacKeeper junkware. As its final operation, it directs the user to the Download Shuttle app on the Mac App Store.

The exploit caught the eye of attackers last month when Stefan Esser wrote a blog post detailing how it works without first notifying Apple. Hackers ran with his information, and now we're seeing real exploits in the wild.

The flaw is already patched in the beta version of OS X 10.11 El Capitan, and a fix is in the beta version of OS X 10.10.5 Yosemite as well. Mr. Esser, the man behind revealing the exploit, posted on Twitter that Apple added the patch to OS X 10.10.5 beta 2.

Since OS X 10.10.5 is still in beta and hasn't been released as an official update, Mr. Esser released his own fix Mac users can install. Considering he was the person who revealed the flaw without notifying Apple, however, there isn't any reason to simply accept his efforts at face value. His kernel extension may be safe, or it could create more problems than it claims to fix.

OS X 10.10.5 should be available soon, and it will include Apple's official fix for the security flaw. Until then, Macs running any version of OS X Yosemite prior to 10.10.5 are potentially susceptible.

The best way to protect your Mac from the DYLD_PRINT_TO_FILE security flaw is to avoid websites you don't trust, and don't install apps from untrusted sources.