Hackers are exploiting a serious zero-day vulnerability in the latest version of Apple's OS X so they can install adware applications without requiring victims to enter system passwords, researchers said. As Ars reported last week, the privilege-escalation bug stems from new error-logging features that Apple added to OS X 10.10. Developers didn't use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that lets attackers open or create files with root privileges that can reside anywhere in the OS X file system. It was disclosed last week by security researcher Stefan Esser. On Monday, researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file. In a blog post, Malwarebytes researchers wrote:
[...] The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.
(Score: 0) by Anonymous Coward on Wednesday August 05 2015, @09:38PM
Don't worry, I'll get off your lawn.
(Score: 2) by zafiro17 on Sunday August 09 2015, @05:46PM
Dude, you're not even near my lawn. You're like those guys wondering what kind of distro to run on their 'old' laptop with 2G RAM and an Intel Core Duo. Talk to me when you're packing a Pentium III and 128MB of RAM, bro.
Dad always thought laughter was the best medicine, which I guess is why several of us died of tuberculosis - Jack Handey