Leak in OS X makes Xcode, iCloud, iMovie, Office and Dropbox, among others, vulnerable

There are some vulnerabilities in OS X that allow attackers to run malicious code in legitimate applications such as Xcode, iCloud, iMovie, Microsoft Office, and Dropbox. The discoverer advises users not to install programs outside of the Mac App Store for the time being.

There are two vulnerabilities in the way the programs under OS X handle the search for the external libraries, according to the description of the vulnerabilities on Virus Bulletin and a presentation at security conference CanSecWest 2015. Some programs continue to search for such libraries, even if the program doesn’t find it in the right place. This makes it possible for an attacker to put such a library, dylib, in that location.

The second way is through OS X Helper, where programs can ask where the correct dylib files are. By tricking it, it points to malicious libraries, which the programs then trust and use. Gatekeeper cannot do anything against these attacks because the malicious code is only loaded into applications after installation. After the malicious files are loaded, an attacker can execute commands on the computer.

In addition to Apple’s own programs such as Xcode, iMovie and iCloud Photos, third-party programs such as Spotify and VLC installers can also be affected.

The discoverer of the vulnerabilities, Patrick Wardle of security company Synack, has put a tool online to detect vulnerable Mac apps on their own desktop or laptop. Since it is a feature of the operating system, it is difficult to fix the vulnerabilities completely, but at least Apple could update Gatekeeper. It is unknown when Apple will close the dylib vulnerabilities and make these types of attacks impossible. Apple has been notified of the leaks twice. Wardle recommends that OS X users download applications only over secure connections or only get them from the Mac App Store.