In July, researchers at Malwarebytes have identified a local privilege escalation (LPE) vulnerability in the Mac OS X operating system. The experts discovered that the flaw in OS X was exploited in the wild by an installer for the Genieo and VSearch adware.
The crooks also installed MacKeeper and directed victims to the Apple App Store page of a file downloader dubbed Download Shuttle.
Despite Apple fixed the flaw on August 13 with the release of OS X Yosemite 10.10.5, a new version of the installer was discovered once again by experts at Malwarebytes reported seeing a new version of the previously analyzed installer. This time the new installer asks users to enter their admin password, after which it performs exactly the same operation of the first variant.
The researchers also another singular trick implemented by the installer, once executed it throws an installer request that asks for permission to access the user’s OS X keychain.
The principal problem related to this hack is the access to the Mac OS X Keychain which is the password management system that is used to store sensitive information and user credentials.
The experts highlighted that the adware could be improved to access users’ iCloud passwords and any other information stored in the keychain.
The identity management company MyKi also disclosed a method to hack the Keychain, its researchers also developed a proof-of-concept (PoC) exploit that can steal passwords from the Keychain and sends them to the attacker via SMS.
CSOonline published an interesting post on the topic, in particular, it reported further details on the attack provided by the researchers from the MyKi company.
A reader asked if this affected iOS as well as OSX. Jebara, one of the researchers confirmed that in the case the user opted for the iCloud Keychain, “then all passwords saved on the iOS device will also be extracted by the exploit. But the exploit will only execute on a OSX device meaning that it can only be run from a Mac.”
As for attack vectors, Jebara said that the following come to mind:
Relatively elaborate potential vectors:
(Security Affairs – KeyChain, Mac OS X)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.