A security flaw in an operating system is dangerous, but a security flaw that’s being actively exploited in the wild, and for which there is no official fix, is much more problematic. That’s exactly what’s happening to Apple’s latest version of OS X, according to security company Malwarebytes.
An OS X security flaw detailed in July by security researcher Stefan Esser allows an attacker to install software on a user’s computer without permission or password. Now, Malwarebytes researcher Thomas Reed has encountered an exploit that takes advantage of this flaw, installing VSearch and Genieo adware as well as MacKeeper junkware — in short, software that you don’t want on your computer, ever.
The exploit takes advantage of a vulnerability in an environment variable DYLD_PRINT_TO_FILE in OS X 10.10.x, which is normally used for error logging. According to Esser, the vulnerability has been fixed in the OS X 10.11 beta versions, but is not fixed in the current version — OS X 10.10.4 — nor in the 10.10.5 beta version.
Reed claims Esser’s behavior was irresponsible, as he publicly revealed the flaw without notifying Apple first. And while Esser created his own software that he claims fixes the issue, Reed advises against using it.
“There is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest,” he wrote in a blog post.
We’ve contacted Apple about the issue and will update the article when we find out more.