Intego’s security researchers have been examining some Mac OS X exploit code that was made public last month, and have discovered that one of these exploits could lead to malware that could have serious consequences. One of the kernel exploits mentioned here has an interesting way of operating.
Unlike current Trojan horses, which require that a user enter an administrator’s user name and password, this exploit could grant root access to malicious software with no password required. It takes advantage of a vulnerability that exists when volumes (hard disks, disk images, removable media or network volumes) are mounted in Mac OS X. When this occurs, root access can be obtained without needing a password. The volume itself must be “prepared” for this exploit to work, but such a malicious program can simply create a disk image when it is launched, mount the disk image, allowing the exploit to function, then unmount it.
The danger of such an exploit is obvious: since no password is required, users get no warning. A malicious program can be disguised as a graphic file, music file or PDF, or a simple application. Note that this only seems to affect Intel-based Macs.
Currently, there are no examples of malware exploiting this vulnerability in the wild, but Intego has updated the virus definitions for VirusBarrier X5 to protect against the possible use of this flaw. Apple is certainly aware of this vulnerability, and we hope they will be issuing a security update to prevent this flaw from being exploited.