We all know that no machines are inherently safe, and in order to protect our networks, we must keep vigilant on all fronts. That’s why it’s good to have a solid knowledge base on vulnerabilities that appear in systems that are often considered safer than most. We don’t want to overlook any possible threat. Apple products are frequently commented on as being safer products, so today we will look into a new vulnerability in the OS X 10.10.x branch of the operating system.
This vulnerability centers around a flaw in the systems DYLD_PRINT_TO_FILE command. This command is normally used to write output to a file but instead of the much more restricted, and safe, alternate commands that write to a single location this command can write anywhere. To make matters worse, not only are there no restrictions on where the command will put the files but it also allows access to SUID root binaries. This access opens the door to privilege escalation which then leaves the machine completely open.
While in Apple’s new beta build, OS X 10.11, a fix has been applied for the vulnerability, there are still no fixes for the previous versions nor the current beta of OS X 10.10.5. Unless you upgrade to a currently unstable build, there are no meaningful ways to stop attacks from infecting these machines. This is clearly a nasty vulnerability in the operating system and gives us a good reminder that we can’t trust any endpoint to its own security.
So what can we do to keep these threats subdued? Patching would be the best way to mitigate the issue, but seeing as how there is only a beta out with the correction it’s risky to take that route. Instead, we will need to look at our network security tools in order to be able to make sure that the attacks don’t spread or get access to our core systems. Systems like a good IDS and/or IPS are a way to help minimize the spread or, for those with some real internal security, the NAC will help mitigate the risks of spread or high-level access from the attacker.
This is, of course, just a single example, a single vulnerability, in the system, but it only takes a crack to let the attackers in. We cannot trust our endpoints no matter what kind of system it is and regardless of their reputation because there will be holes. Luckily, with vigilance and the proper network security, we can minimize or eliminate these threats by making sure our endpoints and their traffic are proper scrutinized. We can win out against these Evil Endpoints but only if we are looking for them without excluding the system we think are ‘safe.’
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.