Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ex-NSA Researcher Claims That DLL-Style Attacks Work Just Fine On OS X

Posted by timothy on from the it's-a-feature dept.

An anonymous reader writes Ex-NSA and NASA researcher Patrick Wardle claims to have developed a reliable technique of Shared Library replacement which renders Apple's OSX operating system just as vulnerable to exploitation as Windows has been (via its 'DLL' shared libraries) for years. Speaking at CanSecWest, Wardle explained that Apple's refusal to encrypt software downloads via its App Store allows an attacker on the same network to inject a malicious 'dylib' (shared library) without altering the hash of the legitimate-but-vulnerable software, thereby leaving the Developer ID signature intact. Wardle ran a crafted Python script on a typical Mac and discovered 150 dylib-dependent applications, including Apple's own Xcode developer environment — revealed last week by Edward Snowden to be a priority target for the NSA due to its ability to propagate compromised software.

2 of 93 comments (clear)

  1. Re:Shouldn't that be sign? by Jeremi · · Score: 4, Informative

    don't the shared libs need to be signed.

    I was under the impression that as of MacOS/X 10.9.x, all distributed shared libraries in your .app directory needed to be signed as well, or Gatekeeper would treat the app as if it was unsigned. (See the "Code Signing Changes in OS X Mavericks" subsection at this link)

    Is the vulnerability described in the article applicable only to older versions of MacOS/X, or has the researcher found a way around that test?

    --


    I don't care if it's 90,000 hectares. That lake was not my doing.
  2. Re:Shouldn't that be sign? by Princeofcups · · Score: 4, Informative

    Is the vulnerability described in the article applicable only to older versions of MacOS/X, or has the researcher found a way around that test?

    Quoting the article: "It’s not a point-and-click exploit – the attacker will need to get on the same network as the target Mac, either through a breach or by sharing the same public Wi-Fi access point, and then inject a vulnerable but legitimate application and make some purely cosmetic changes to the appearance of the .dmg (virtual installer disk) file when mounted."

    Sounds pretty theoretical at this point. I don't see the "reliable technique of Shared Library replacement" that the summary declares.

    --
    The only thing worse than a Democrat is a Republican.