STE WILLIAMS

TWEET of DOOM: Tiny exploit back pillaging keychains

Mac malware using an exploit so small it fits in a tweet has been upgraded to avoid anti-virus checks.

The malware uses the patched OS X DYLD_PRINT_TO_FILE vulnerability that grants attackers root privilege escalation through trivial code.

The updated version will throw a fleeting installer request to access the OS X keychain and simulate a click on “allow” before the user can prevent the installation.

MalwareBytes researcher Thomas Reed said that this grants access to the Safari Extensions List, but could grant attackers access to iCloud accounts and other keychain data.

“More concerning, though, is the question of what’s to stop this adware from accessing other confidential keychain information like passwords?” Reed added.

“With a few minor changes, the adware could get access to other things from the keychain, like the user’s iCloud password.

“The user may be made suspicious by the window flashing up then disappearing, but may not know what the full implications of that are or what to do about it.”

It could also be an attempt to develop mitigations for the better security controls in the upcoming El Capitan OS X release.

The malware will deposit other ad-injecting and scareware crap on OS X lawns while messing with the keychain, Reed said.

Webroot researcher Devin Byrd said a similar variant had been found messing with the popular AdBlock extension to ensure its injected advertisements will not be blocked.

Users can protect their machines by updating to the El Capitan beta or install security man Stefan Esser’s SUIDGuard for those staying on stable versions. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/09/01/tweet_of_doom_tiny_exploit_back_pillaging_keychains/

Comments are closed.