Newly Discovered OS X Security Flaw Could Give Hackers an Easy Way to Take Control of Your System
If you by chance haven’t updated to Mac OS X 10.10 just yet (e.g., the Yosemite operating system update that first became available last October), then you may want to hold off. According to a recent blog post by cyber security researcher Stefan Esser, Apple added a few features to the code of OS X 10.10 that have introduced some pretty serious vulnerabilities into the system. The issues, Esser noted, are present in both the current Yosemite release (OS X 10.10.4), as well as in the beta version of 10.10.5. Esser did note, however, that the first betas of OS X 10.11 (Apple’s forthcoming “El Capitan” update) do not include the vulnerability, suggesting that Apple has been aware of the problem for some time.
The “Root” of the Problem
So what’s the problem? According to Esser, the vulnerability lies with the “dynamic linker dyld.” In an operating system, a dynamic linker is responsible for loading and linking shared libraries for executable programs or files. In this particular case, Apple has added a feature to the dynamic linker that “enables error logging to an arbitrary file.”
Error logging by itself is not a problem, but since Apple failed to code the new feature with “the usual safeguards that are required when adding support for new environment variables to the dynamic linker.” As a result, hackers could feasibly exploit the new error logging feature to attain root privileges in OS X.
Worse, because the error logging file is always open and active, Esser says that it can affect all “processes spawned by SUID binaries.” What this essentially means is that hackers would be able to escalate their privileges in OS X from basic file opening and creation, to anything controlled by SUID (Set owner User ID upon execution). Since SUID binaries are what give a root user the elevated permissions they need to make a major change to a program, file, or to the system as a whole (like changing the computer’s login password), the OS X 10.10 vulnerability is serious enough to give hackers full control of your system and all of your files.
What Coding Changes Could Have Prevented the Issue?
The truly upsetting thing about this new vulnerability—beyond the fact that it could open your Mac system up to hackers—is how easily Apple could have avoided it. Normally, when software developers add environment variables to a dynamic linker, they will include a safeguard that will automatically force the dynamic linker to reject requests related to restricted files. In other words, with most dynamic linkers, hackers would not be able to access SUID root binaries—at least not easily—simply because the system would recognize those binaries as restricted.
More specifically, Esser says that Apple’s OS X 10.10 operating system would be safe if the new error logging environment variable had been coded to the correct part of the dynamic linker dyld: “processDyldEnvironmentVariable()” is the name of the code. Instead, Apple coded the variable directly to the “_main” function of the dyld. The difference is that, where the “processDyldEnvironmentVariable()” function would automatically have rejected error logging requests for restricted binaries, the “_main” function is not coded to automatically reject the requests.
Ostensibly, Apple coded the error logger function in the wrong place, and the result is that the function isn’t smart enough to restrict access to sensitive binaries. The company basically played right into hackers’ hands and gave them the keys to the kingdom.
Solving the Problem
The question now is, how can you solve the problem to keep your operating system secure? The good news is that Esser, in addition to providing a detailed description of the vulnerability and a proof of concept to show how hackers could exploit it, also wrote a kernel (operating system) extension that will prevent “all DYLD_ environment variables from being recognized by the dynamic linker for SUID root binaries.” You can download the kernel extension/driver for yourself on GitHub.
Apple has said that they were already aware of the vulnerability, which means that we could see an OS X update in the next few week that re-codes the dynamic linker dyld and keeps the error logger from responding to restricted requests. Now that Esser has publicly revealed the security risks posed by the vulnerability—and now that the story is making the rounds on most of the web’s top tech sites—Apple could definitely feel extra pressure to get the vulnerability patched up and fixed quickly.
With that said, Apple’s schedule for releasing updates and patches isn’t exactly predictable, and as Esser wrote in introducing his kernel extension, it could feasibly take the company months to release a fully secure version of OS X. It’s certainly concerning that the beta version of Yosemite 10.10.5 still include the security vulnerability.
And while the first betas for El Capitan do secure the issue by moving the error logging code from “main” to “processDyldEnvironmentVariable()”, you aren’t going to want to wait for the release of OS X 10.11 to patch up the issue: El Capitan was announced in June, but likely won’t be made available for download until October.
The good news is that so far, we haven’t heard any horror stories about Mac users being hacked or exploited because of this vulnerability. By all indications, Stefan Esser was the first person to reveal the bug publicly. The bad news is that, now that everyone knows this flaw exists, hackers know how to exploit it and could use the window between now and Apple’s inevitable update or patch to take control of OS X systems.
Now is the time to protect yourself from this issue, and the best way to get protected right away is by downloading Esser’s kernel driver. The GitHub link provided above includes instructions of how to implement the extension, if you have never downloaded an OS X patch outside of Apple’s official software updates.