At this year’s CanSecWest security conference, a researcher demonstrated how Apple’s OS X is vulnerable to a software hack in which applications load infected shared software libraries.
Applications use dynamic linked libraries, or DLLs, as software repositories. Apple’s OS X can be compromised by a DLL hijack, which tricks Apple’s operating system loader into verifying applications that have been corrupted.
This library injection technique was very common on the Windows platform until Microsoft took significant measures to prevent this kind of attack. . Unfortunately, this attack is even easier to execute on OS X. In traditional process injection attacks, malicious code is mapped into a remote process and then hijacks the original process. In this new Apple vulnerability, the attacker only needs to copy the malicious dylib (Dynamic Library) directory and invoke the target application to call it at start-up. The fact that only certain applications are vulnerable to this kind of dynamic library hijack threatens Apple’s security architecture.
Applications directly affected by this hack include Xcode, QuickTime, iMovie, iCloud, Photostream, as well as OS X editions of Microsoft Word, Excel, and Powerpoint. Cloud applications such as Google Drive and Dropbox are also at risk.
This vulnerability – which Windows addressed and resolved in 2010 – will place Apple users at risk until it is addressed in the core operating system.
Fortunately, SentinelOne Endpoint Detection & Response automatically identifies this type of threat. Since our agents monitor all system activity, including the operating system loader, we are able to detect and remediate this vulnerability. Using our predictive execution engine to track behavior, we stay ahead of threats and prevent attacks from compromising protected endpoints.