Apple OS X at Risk From DLL Hijacking Exploit

A Synack researcher alleges that Dynamic Link Libraries (DLLs) can be used to bypass Apple's Gatekeeper and other security products.


Apple's OS X operating system has multiple layers of security to protect users against potentially malicious applications, but according to Patrick Wardle, director of research at Synack, Dynamic Link Libraries (DLL) hijacking can be used to bypass those protections, potentially putting users at risk.

Wardle is set to formally detail his research at a presentation at the CanSecWest security conference in Vancouver, British Columbia, on March 18. Apple did not respond to a request for comment from eWEEK about Wardle's research.

"I submitted the initial bug to Apple via their suggested bug reporting channel,, on Jan. 15, 2015," Wardle told eWEEK. "In this report, I also informed them I'd be speaking about this at CanSecWest."

Wardle said he didn't get an initial response back from Apple, so he resubmitted his findings on Feb. 7 and got an automated response on Feb. 9 acknowledging the submission. On Feb. 10, Wardle emailed Apple back, thanking the company for its automated response and to reiterate that he would be talking about the DLL hijacking issue at the CanSecWest conference. On Feb. 13, Apple emailed Wardle back thanking him for his previous email. Wardle noted that the Feb. 13 email was the first time he received a non-automated response from Apple.

"They [Apple] also emailed me at the end of February, stating they would be willing to provide feedback on my slides," Wardle said. "At no point did they ask for more technical details or provide any indication that they would be patching/fixing this issue."

The actual DLL hijacking vulnerability is an attack vector that has been used against Microsoft Windows operating systems since 2010.

"It turns out that there is a DLL highjacking attack that works against OS X that allows an attacker to exploit vulnerable applications and inject malicious libraries into target processes, bypassing personal security products and even Gatekeeper," Wardle said.

Gatekeeper is the built-in anti-malware technology that Apple has integrated into OS X since the 10.7.5 Mountain Lion release in 2012. Wardle explained that for DLL hijacking to work against OS X, all it takes is for an attacker to place a malicious DLL in a specific location on a system. He added that the attack is very stealthy and is able to abuse legitimate functionality in the operating system, making it difficult to patch against.

To test how many vulnerable applications are in the market, Wardle wrote a Python script, which he plans on releasing after his talk, and found over 150 binaries that are vulnerable to the DLL hijacking attack.

"The applications are not actually doing anything wrong. The dynamic loader will look in multiple locations for DLLs," he said. "So if the legitimate library that the application is looking for is in a secondary location, an attacker can place a malicious DLL, with the same name, in the primary location path."

Wardle explained that the dynamic loader will naively load the malicious DLL that is found in the primary application path, thinking that it is the real DLL. He added that the DLL hijacking exploit can be enabled to be persistent on an OS X system, starting up whenever the user boots the system.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.