Two serious bugs affecting Macintosh computers can leave your computer riddled with malware — or even permanently controlled by a hacker.
In one instance, security researchers uncovered a new vulnerability that lets hackers install adware like VSearch without ever asking for your password. VSearch is nasty malware that inundates your Mac with pop-up ads and redirects you to a different search engine when you try to use Google.
The bug was made public last week by Stefan Esser, a German security researcher. But rather than contact Apple first (the generally accepted protocol with new bug discoveries), Esser disclosed the bug to the public on his blog.
Security company MalwareBytes said in a blog post Monday that hackers have already taken advantage of the bug Esser found, attacking Macs using the newfound vulnerability. Esser did not respond to a request for comment.
The bug takes advantage of the way that Mac OS X 10.10 (Yosemite) decides which programs can make changes to your computer without your password. Yosemite lists those programs in a hidden file called Sudoers. But the bug allows malware to be listed in the Sudoers file as well.
That means the malware can install any file in any part of the system.
In the hack discovered by MalwareBytes, attackers installed notorious Mac malware including VSearch, MacKeeper and Genieo, and it launches a pop-up window that tells the Mac’s owner to install the Download Shuttle app on the Mac App Store.
The only known fix has been provided by Esser himself in the link https://github.com/sektioneins/SUIDGuard .
Esser noted the bug has been fixed in an upcoming patch to Yosemite as well as a beta version of OS X 10.11 (El Capitan). That’s because Apple has known about the vulnerability for a while, according to MalwareBytes. Security researcher who goes by “@beist” on Twitter informed Apple of the bug long before Esser discovered it.
A spokesman for Apple did not respond to a request for comment. Meanwhile, a second group of security researchers found a potentially more serious bug that can permanently turn over control of your Mac to a hacker.
Even the most vicious malware can typically be deleted off your computer by reinstalling your operating system. But a new vulnerability found in Macs allows attackers to install malware in the computer’s firmware, which is responsible for booting up your computer and sits one level below the operating system.
Unless you know how to electrically reprogram chips, your computer is essentially toast if it gets hit with this bug.
“For most users that’s really a throw-your-machine-away kind of situation,” researcher Xeno Kovah told Wired, which first reported the story. “Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”
Kovah, along with researchers Trammell Hudson and Corey Kallenberg demonstrated a preview of their findings on YouTube, which they plan to present at this week’s Black Hat cybersecurity conference in Las Vegas.
The researchers said that they developed a computer worm dubbed “Thunderstrike 2,” which can take advantage of the serious bug.
The worm can be installed just like most malware: by clicking on the wrong link or falling for a phishing scheme. Once installed, the malware gets even nastier — it looks for devices connected to your Mac, such as a Thunderbolt Ethernet adapter, which then get loaded with the worm.
When someone else uses your infected adapter, their Macs get infected too. This is the second firmware bug that the researchers uncovered. Apple fixed the first one recently.