Apple OS X at Risk From DLL Hijacking Exploit

By Sean Michael Kerner  |  Posted 2015-03-17 Print this article Print

One potential attack scenario, which Wardle referred to as load time process injection, is all about getting malicious code into a tahirget process. As part of his research, Wardle targeted Apple's Xcode Integrated Developer Environment (IDE).

"I thought it would be a cool idea for malware to infect binaries as the developer is compiling them, as kind of an autonomous malware propagation vector," he said.

As it turns out, Wardle isn't the only one who had the idea of using Xcode as a way to infect OS X. A report based on files from U.S. National Security Agency (NSA) whistleblower Edward Snowden claims the spy agency was attempting something similar. Coincidentally, Wardle is also a former NSA employee.

Wardle said he was unable to comment on his activities while working for the NSA, though he emphasized that his OS X DLL hijacking research is all new and wasn't the result of initiatives he was involved with while working at the NSA.

There is also the possibility of leveraging DLL highjacking by way of a remote attack. The Apple OS X Gatekeeper checks to make sure that content has been signed by a valid developer and can also be configured to allow only applications downloaded from the Apple App Store for Mac to run.

One of the reasons Wardle was able to infect code was due to the fact that some software is downloaded over HTTP and not the more secure HTTPS.

"It means a sophisticated adversary could intercept the download requests and then using the Gatekeeper bypass could inject malicious code," Wardle said. "The user when installing the software would then unknowingly infect themselves."

Going a step further, Wardle said he tested his attack against every Mac security product he could find. The result? Not a single one was able to detect the attack.

"To me, that shows the state of security products on Mac, and it shows that an adversary can trivially bypass any of them," he said.

Wardle has a few ideas as to how Apple can fix the DLL hijacking issue.

"Apple could change the dynamic loader such that when a signed application is loaded, it will only load DLLs that are signed by the same company or developer," Wardle said. "For users, there is no reason why companies should have software downloads over HTTP, as they are trivially easy to intercept."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel