SECURITY RESEARCHERS HAVE SHONE A COUPLE OF lights on the soft underbelly of Apple's OS X operating system and gone public this week with warnings about vulnerabilities and mitigation efforts.
Apple has had fingers pointed at it over a print-to-file problem and something called Thunderstrike 2 which, in these early stages of reporting, has a much more exciting ring about it.
Thunderstrike 2, which sounds like a hit pop single from a collection of men and hair, or the sort of wrestling move that you do not want to do in a small space, is actually your new nightmare: a worm that makes its way from hardware to hardware wreaking whatever it wreaks.
What it wreaks is limited mayhem in the Extensible Firmware Interface department. This kind of root-level attack is of concern because firmware is not typically scanned as part of security provision and prevention.
This attack is something of a sequel, hence the 2, and Apple applied the earlier necessary protection to its OS with the release of version 10.10.2 in January.
Graham Cluley, writing on the Intego security blog, said that the sequel includes the ability to hop between hardware without a physical connection. He added that this should add some muscle to calls to get Apple to make a bounty reward system open to the community.
Cluley said that these kinds of problem are not the sort of thing that can be commonly uncovered, and that the industry is lucky to have the backing of a community of independent spirits with bug hunting in their hearts.
"There are some very smart people out there who are very good at finding vulnerabilities in Apple's software. The good news is that some of them aren't in the business of exploiting the vulnerabilities for criminal commercial gain, and aren't in the pocket of foreign governments and intelligence agencies," he said.
"The really bad news is that Apple isn't doing enough to work with these researchers. Other technology companies are offering sizeable bug bounties to researchers who work with them to uncover security holes, whereas Apple - one of the richest companies in the world - [prefers] to name bug reporters on a 'hall of fame' page instead."
Elsewhere this week, other researchers came across a zero-day vulnerability that could present a risk to the securely built ivory tower that is Apple OS X if Apple had not already addressed it.
An active exploit for the issue is in the wild, according to Malwarebytes, and it relies on print-to-file functionality and a threat with malice on its mind. The vulnerability is called DYLD_PRINT_TO_FILE and is "very bad news".
Malwarebytes researcher Adam Thomas was picking apart an adware installer when he stumbled across the flaw, said a blog post from the security firm.
Thomas realised that part of the adware installer was modifying sub folders and enabling root control without having to use a password.
DYLD_PRINT_TO_FILE exploit found in the wild | Malwarebytes Unpacked https://t.co/10q2FKQIIk— Stefano Meller (@StefanoMeller) August 4, 2015
"The real meat of the script involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password," said the firm.
"Then the script [uses] password-free behaviour to launch the VSInstaller app, which is found in a hidden directory on the installer's disk image, giving it full root permissions and thus the ability to install anything anywhere."
That is not the end of it, and Malwarebytes said that the script digs deeper, boring its way down and taking more liberties.
"In addition to installing VSearch, the installer will install a variant of the Genieo adware and the MacKeeper junkware," it added. "As its final operation, it directs the user to the Download Shuttle app on the Mac App Store."
The Download Shuttle app provides faster application downloads, and its presence should not be considered innocent.
The combined package sounds like a significant blight and, according to the post, and it said that Apple has known about the threat for a decent amount of time thanks to an earlier disclosure by another security researcher.
"This is obviously very bad news. Apple has evidently known about this issue for a while now," Malwarebytes added. "Unfortunately, Apple has not yet fixed this problem, and now it is beginning to bear fruit. Worse, there is no good way to protect yourself. Hopefully, this discovery will spur Apple to fix the issue more quickly."
We have asked Apple for information and are waiting for it to respond. In the meantime, users can turn to the earlier advice of the researcher Stefan Esser who first found the problem but did not inform Apple. The Esser fix is available through GitHub.
Looks like dropping DYLD_PRINT_TO_FILE exploit resulted in Apple having fixed it in OS X 10.10.5 beta "2" - suddenly they can work "faster"— Stefan Esser (@i0n1c) July 31, 2015
Esser has already said that his work has been over taken by a release from Apple that fixed the issues. In a tweeted message he said that a fix quickly appeared. µ
Report calls on UK gov to do more to support Brit businesses
Beta go give it a whirl
Your 2 Unlimited records never sounded (so) good
That's, um, £2,906 over two years