Expert Adam Thomas of Malwarebytes reported that attackers are actively using the exploit for the vulnerability DYLD_PRINT_TO_FILE. A new environment variable in the dynamic link editor dyld allows you to access and modify any system files on Mac without entering the administrator password. Security loophole found in OS X Yosemite.
The expert found the vulnerability when he got a new installer adware, Securitylab reports. During testing, adware on a machine running OS X Yosemite Thomas drew attention to the fact that the sudoers file (a hidden file in Unix that defines who should get root access in Unix) has been modified. The vulnerability allowed advertising BY gaining root access without requiring the administrator password.
Exploiting the vulnerability DYLD_PRINT_TO_FILE the script is written to a file and executed, after which the part is removed. The script launches the application VSInstaller that the researcher found in a hidden directory in the disk image installer adware. Gaining root, the program was able to download anything.
As for VSInstaller, then this app installs adware VSearch, a variant of Genieo and MacKeeper. In the end, it directs the user to the app Download Shuttle in the Mac App Store.
That’s bad news for Apple, which has for some time been aware of the vulnerability. Despite the fact that Stefan Esser has published details about the breach at the end of last month, researcher beist notified Cupertino about the problem a few months earlier. Apple have not yet decided this question.
