A security researcher disclosed a zero-day vulnerability in Mac OS X that allowed attackers to obtain unrestricted root user privileges with the help of code that even fits in a tweet.
The same vulnerability has now been upgraded to again infect Mac OS X machines even after Apple fixed the issue last month. The privilege-escalation bug was once used to circumvent security protections and gain full control of Mac computers.
Thanks to the environment variable DYLD_PRINT_TO_FILE Apple added to the code of OS X 10.10 Yosemite. The vulnerability then allowed attackers to install malware and adware onto a target Mac, running OS X 10.10 (Yosemite), without requiring victims to enter system passwords. However, the company fixed the critical issue in the Mac OS X 10.11 El Capitan Beta builds as well as the latest stable version of Mac OS X – Version 10.10.5.
Mac Keychain Flaw
Now, security researchers from anti-malware firm MalwareBytes spotted the updated version of the same highly questionable malicious installer is now accessing user's Mac OS X keychain without user's permission.
Once executed, the updated installer throws an installer request that asks for permission to access the user's OS X keychain. The installer automatically simulates a click on the "Allow" button as soon as it appears, which allows it to gain access to the Safari Extensions List, said MalwareBytes researcher Thomas Reed. This allows the malicious installer to install a Genieo Safari extension. The entire process of installing a malicious extension and gain access to OS X keychain takes just a fraction of a second.
You're Totally Screwed Up
However, the more worrisome part is that the installer could easily be modified to grant attackers access to other data from the keychain alongside passwords for user's Gmail account, iCloud account, and other important accounts.
Meanwhile, two security researchers from Beirut independently reported the Mac Keychain vulnerability, the same day Malwarebytes researchers disclosed their findings involving Genieo. The technique works on Mac systems only when invoked by an app already installed on user's systems.
The issue is critical because the Mac keychain is supposedly the protected place for storing account passwords and cryptographic keys. Apple has yet to respond to this latest issue. Until then, Mac users are advised to follow the standard security practices, such as do not download files from unknown or untrusted sources, and be wary of emails or websites that seem suspicious.