VANCOUVER — Macs are highly vulnerable to a widely understood software flaw that was fixed nearly five years ago in Windows, a researcher demonstrated today (March 19) here at the CanSecWest 2015 security conference.
Patrick Wardle, research director at Redwood City, California-based security firm Synack, explained that many applications on OS X can be easily undermined by a DLL hijack, in which applications load malicious versions of shared software libraries. The flaw can even be used to fool Apple's own Gatekeeper security software into verifying malicious applications.
Directly affected applications include Apple's own Xcode, QuickTime, iMovie and iCloud PhotoStream, the OS X versions of Microsoft Word, Excel and Powerpoint, and cloud offerings such as Google Drive and Dropbox. Antivirus (AV) software will not detect the malicious files, and the vulnerability is not likely to be completely fixed because it is a fundamental part of the way OS X works. (Apple did not immediately respond to a request for comment.)
"This is trivial to accomplish, difficult to be patched out" [of existence], Wardle said, "and hard for AV to defend against, since it uses legitimate functionality."
Dynamic linked libraries, or DLLs, are software repositories used by more than one application, and hence are often stored separately from applications. Attacks using malicious DLLs were first made public by HD Moore of Rapid 7 in 2010, although Wardle pointed out that the National Security Agency had warned of the threat in 1998.
Until 2010, Windows applications searched for DLL files by name, not by file path (i.e., location), and often scanned several directories before finding the appropriate file. Attackers created malicious DLLs that shared the names of commonly used ones, then placed them somewhere — such as a targeted application's own directory — where they could be found before applications located the real DLLs.
Microsoft fixed the DLL-hijacking problem in Windows XP and up in late 2010 by mandating that all applications search for DLLs by location well as by name. As Windows power users know, no two files in the same directory can have the same name, making it impossible to put a fake DLL in the right place.
Holes in the Apple
Apple's OS X, in which dynamic linked libraries are called dylibs, also searches using file paths, so it should theoretically be immune to DLL attacks — but Wardle found that there are two major holes in Apple's process.
First, some OS X applications don't stop running if no dylib is found where one should be. An attacker can inject a malicious dylib in that directory.
Second, some applications are not sure where their dylibs live, and turn to an OS X helper application called the dylib loader to find them. The file paths for those dylibs can be generated on the fly, and the dylib loader can be fooled to point to malicious files.
After much trial and error, Wardle was able to create malicious applications that injected malicious code into running OS X applications. He streamlined the process by creating two more tools. One scans a Mac for vulnerable applications (available free at http://objective-see.com/products/dhs.html), and found 142 vulnerable applications on Wardle's own work laptop. The other tool examines a vulnerable application to quickly determine how to tailor a malicious dylib for it.
Corrupting Apple to the core
The flaw can be used to corrupt Xcode, Apple's own software-development tool, which means that OS X and iOS apps could be created with vulnerabilities of which even the developer was unaware. Earlier this month, news reports revealed a CIA document leaked by former NSA contractor Edward Snowden that discussed corrupting Xcode, but didn't say how that could be done. Wardle's work shows how.
(Wardle said it was unlikely that an attacker could use a DLL hijack to directly attack iOS. Technical details of his presentation are available on the Virus Bulletin website.)
Even worse, Wardle said, the flaw can be used to bypass Apple's Gatekeeper-screening software to permit the installation of malicious applications. Gatekeeper will not detect any malicious code in the application's installer, but once the application runs, it will reach out to malicious dylibs that have already been installed on the computer.
Wardle explained that malicious dylibs can be installed by deceiving the user into running software downloaded from the Internet. After all, OS X throws up the same warning for every piece of downloaded software, good or bad, and annoyed users quickly learn to accept them all.
Secure code sent in an insecure way
Malicious dylibs can also be injected into downloads of legitimate software through man-in-the-middle attacks, Wardle said. About two-thirds of the software packages pre-approved by Gatekeeper transmit their files using the insecure HTTP protocol instead of the secure HTTPS protocol, and a hacker could intercept and modify the download stream.
Wardle found that insecure installers include Microsoft Word, Spotify, the VLC media player and nearly a dozen well-known brands of Mac antivirus software that he tested.
"Any AV product download can be man-in-the-middled, and all require root to install," creating a security disaster, Wardle said.
Defeating dastardly dylibs
Wardle said he had informed Apple of the flaw, and expected a partial fix to be pushed out to OS X users within a few days of his presentation. However, he explained that the flaw could probably never be fully fixed, because it was part of the operating system.
Users can nevertheless take some precautions, Wardle said, by scanning their systems with his free tool to identify vulnerable apps. They should also download application installers using only HTTPS, if possible.
"Scan your system, install only over HTTPS, and don't give your money to the AV companies," he said.
- 10 Easy-to-Use Security and Privacy Tools
- How to Encrypt Files on Mac OS X
- Apple Pay: Can You Trust It?