Macbook Pro Retina OS X victim to Windows hijacking

DLL hijacking gained predominance in 2000 when it gave hackers the quiet chance to hack a vulnerable machine or even remotely exploit any application with poor security. The news is it has now come to the Apple’s OS X.

Apple fans at risk

The topic was the subject of discussion at the CanSec West conference in Vancouver. Here, the Synack director of research Patrick Wardle is expected to host a talk in which the different types of attacks will be explained. He stated that the DLL hijacking has been haunting Windows for a very long time and it brings with it a number of malicious adversities. “I wondered if it was similar on OS X and I found an attack similar to that,” said Wardle. Under cover, there are several technical differences, however the capabilities are the same. This means if you have a vulnerable app on OS X, you can abuse it in the same way as on Windows.

Apple's OS X Yosemite vulnerability

After this talk, Wardle is expected to unleash a source code for a scanner that would discover the apps vulnerable to the attack. Once he ran the Phyton script against his OS X machine, he found 144 binaries vulnerable to different types of dylib hijacking attacks. These binaries also included Apple’s Xcode, Quicktime plugins, iMovie, Microsoft Excel, Word, and Powerpoint. Also, there were third party apps that were vulnerable, like Dropbox, Java, Adobe plugins and GPG tools.

Wardle pointed out that Windows was very vulnerable to DLL hijacking and now OS X is in the same manner vulnerable to dylib hijacking.

Dangerously simple

The concept is more or less the same in both the cases. The attacker needs to get into a malicious library in a directory loaded with the operating system. Wardle also stated that one part of his strategy was to discover a vulnerable binary in the PhotoStream Agent that automatically launched with iCloud.

Apple's PhotoStream

He said that this was perfect for attack persistence. Here you had to copy the uniquely crafted dylib into the directory that PhotoStream searches for when the app launches. The dylib of the attacker is loaded into the context of this process. This is the best way to gather persistence. Here, you are not making new processes nor is a file being modified. You just plant one dylib and you are into it.

Wardle added that his smart malware infects the Xcode when any developer uses a new binary. This would add to the malicious code. “It’s an anonymous propagation vector,” said Wardle.

Does anybody care?

At the same time, Wardle was also able to bypass Apple’s Gatekeeper security app that restricts the nature of software that can be downloaded and installed onto the Apple computer and from where. Gatekeeper provides some anti-malware protection as well. Wardle stated that his malicious dylib code would be implanted in the download and blocked by the Gatekeeper as it was not signed by the App Store.

Apple's Gatekeeper

Wardle added that Gatekeeper would load the dangerous file and give code execution to the attacker. He stated that Gatekeeper does a very good job of blocking such harmful downloads, however this bypass will give users the chance to infect their devices.

Wardle is expected to explain the above Gatekeeper bypass and many other such attacks at the scheduled talks. The biggest concern he stated that the above malware goes undetected by major antiviruses and this is where the concern lies!

Apple did not pay his bug reports serious heed in January except for an automated mail response. Later, there was a thank you and congratulations issued by Apple for the acceptance of his talk at CanSecWest.

Wardle further expressed his worries that such attacks have so much power and can do a lot of dangerous things to OS X, but it is still not rectified.