HACKINTOSH.ORG | Macintosh discussion forums

Macintosh News => iPhone/iPod/iPad News => Topic started by: HCK on August 05, 2015, 03:00:22 pm



Title: DYLD_PRINT_TO_FILE and malware: What you need to know
Post by: HCK on August 05, 2015, 03:00:22 pm
DYLD_PRINT_TO_FILE and malware: What you need to know

<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p><a href='http://www.imore.com/dyldprinttofile-and-malware-what-you-need-know' title="DYLD_PRINT_TO_FILE and malware: What you need to know"><img src='http://www.imore.com/sites/imore.com/files/styles/large_wm_blw/public/field/image/2015/04/macbook-review-hero.jpg?itok=CeK6KyUF' />[/url]</p> <p>DYLD_PRINT_TO_FILE (http://www.imore.com/dyldprinttofile-exploit-what-you-need-know) is an OS X 10.10 Yosemite vulnerability that could allow malicious code on your Mac to escalate its privileges—gain "root" access—and potentially exploit the system. Now an anti-malware company named Malwarebytes (https://blog.malwarebytes.org/mac/2015/08/dyld_print_to_file-exploit-found-in-the-wild/) has reported finding just such an exploit "in the wild", meaning it's already being used to try and install malware on Macs.</p> <h2>What does the malware do?</h2> <p>The malware uses DYLD_PRINT_TO_FILE to modify "sudoers"—a file that controls what commands can be run on your Mac, and what passwords are needed to run them, and by whom—so it can launch VSInstaller, which then installs junkware.</p> <h2>Has Apple patched the problem?</h2> <p>DYLD_PRINT_TO_FILE has already been patched in the OS X 10.11 El Capitan beta and in the OS X 10.10.5 beta. While El Capitan is only coming later this fall, OS X 10.10.5 should be imminent.</p> <h2>What else can and has Apple done?</h2> <p>It looks like Apple has already revoked the certificate used for the junkware, so Gatekeeper—Apple's system that blocks untrusted software—will prevent it from being launched without explicit user intervention. It also looks like Apple has at least begun to update OS X's automatic anti-malware definitions to recognize and reject the junkware, so it won't be able to be installed at all.</p> <h2>What do certificates and definitions have to do with this?</h2> <p>Effective security comes in layers. Properly fixing and testing patches takes time, and not everyone updates immediately. Given those realities, the ability to revoke certificates and add signature, when coupled with technologies like Gatekeeper and built-in anti-malware, helps prevent malicious code for executing even if it does make it onto an un-patched system.</p> <p>OS X El Capitan (http://www.imore.com/os-x-el-capitan-first-look) technologies like System Integrity Protection will take this even further by limiting the harm an exploit could cause even if it did manage to escalate its privileges to root.</p> <p>Apple also provides the Mac App Store as a safer and more secure place to download software from, so OS X customers aren't left to internet download sites that are typically strewn with junkware and malware.</p> <h2>Do I need to worry about this malware?</h2> <p>Malware is a problem. OS X 10.10.5 and the DYLD_PRINT_TO_FILE patch needs to be released as fast as engineering and quality assurance allows, and when it is, we need to update asap. In the meantime certificates need to be revoked and malware definitions updated just as soon as new exploits are discovered.</p> <p>But malware exists well beyond DYLD_PRINT_TO_FILE. If you download files from places you can't trust, you're at high risk of getting junkware and potentially worse on your Mac. Apple needs to fix bugs when they're discovered, and needs to keep putting as many blockades in the way of malicious software as the company can, but we need to do our part as well.</p> <p>That means only downloading from trusted sites like the Mac App Store, Adobe.com, Microsoft.com, and well-known developers with solid reputations, and it means being very careful about the links you click in emails, on social networks, and in other forums.</p> </div></div></div><br clear='all'/>

<a href="http://rc.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/rc/1/rc.htm" rel="nofollow"><img src="http://rc.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/rc/1/rc.img" border="0"/>[/url]

<a href="http://rc.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/rc/2/rc.htm" rel="nofollow"><img src="http://rc.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/rc/2/rc.img" border="0"/>[/url]

<a href="http://rc.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/rc/3/rc.htm" rel="nofollow"><img src="http://rc.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/rc/3/rc.img" border="0"/>[/url]

<img src="http://da.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/a2.img" border="0"/> (http://da.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/a2.htm)<img width="1" height="1" src="http://pi.feedsportal.com/r/234566686647/u/49/f/616881/c/33998/s/48b6611b/sc/15/a2t.img" border="0"/><img width='1' height='1' src='(http://tipb.com.feedsportal.com/c/33998/f/616881/s/48b6611b/sc/15/mf.gif)' border='0'/><img src="http://feeds.feedburner.com/~r/TheIphoneBlog/~4/Iqi-JVrFlUk" height="1" width="1" alt=""/>

Source: DYLD_PRINT_TO_FILE and malware: What you need to know (http://feedproxy.google.com/~r/TheIphoneBlog/~3/Iqi-JVrFlUk/story01.htm)