Skip to main content

DYLD_PRINT_TO_FILE and malware: What you need to know

MacBook
MacBook

DYLD_PRINT_TO_FILE is an OS X 10.10 Yosemite vulnerability that could allow malicious code on your Mac to escalate its privileges—gain "root" access—and potentially exploit the system. Now an anti-malware company named Malwarebytes (opens in new tab) has reported finding just such an exploit "in the wild", meaning it's already being used to try and install malware on Macs.

What does the malware do?

The malware uses DYLD_PRINT_TO_FILE to modify "sudoers"—a file that controls what commands can be run on your Mac, and what passwords are needed to run them, and by whom—so it can launch VSInstaller, which then installs junkware.

Has Apple patched the problem?

DYLD_PRINT_TO_FILE has already been patched in the OS X 10.11 El Capitan beta and in the OS X 10.10.5 beta. While El Capitan is only coming later this fall, OS X 10.10.5 should be imminent.

What else can and has Apple done?

It looks like Apple has already revoked the certificate used for the junkware, so Gatekeeper—Apple's system that blocks untrusted software—will prevent it from being launched without explicit user intervention. It also looks like Apple has at least begun to update OS X's automatic anti-malware definitions to recognize and reject the junkware, so it won't be able to be installed at all.

What do certificates and definitions have to do with this?

Effective security comes in layers. Properly fixing and testing patches takes time, and not everyone updates immediately. Given those realities, the ability to revoke certificates and add signature, when coupled with technologies like Gatekeeper and built-in anti-malware, helps prevent malicious code for executing even if it does make it onto an un-patched system.

OS X El Capitan technologies like System Integrity Protection will take this even further by limiting the harm an exploit could cause even if it did manage to escalate its privileges to root.

Apple also provides the Mac App Store as a safer and more secure place to download software from, so OS X customers aren't left to internet download sites that are typically strewn with junkware and malware.

Do I need to worry about this malware?

Malware is a problem. OS X 10.10.5 and the DYLD_PRINT_TO_FILE patch needs to be released as fast as engineering and quality assurance allows, and when it is, we need to update asap. In the meantime certificates need to be revoked and malware definitions updated just as soon as new exploits are discovered.

But malware exists well beyond DYLD_PRINT_TO_FILE. If you download files from places you can't trust, you're at high risk of getting junkware and potentially worse on your Mac. Apple needs to fix bugs when they're discovered, and needs to keep putting as many blockades in the way of malicious software as the company can, but we need to do our part as well.

That means only downloading from trusted sites like the Mac App Store, Adobe.com, http://Microsoft.com, and well-known developers with solid reputations, and it means being very careful about the links you click in emails, on social networks, and in other forums.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

8 Comments
  • You sure its fixed in the 10.10.5 beta? I grabbed this from Appleinsider. "Ars Technica first reported on the bug uncovered by researcher Stefan Esser last week, saying developers failed to use standard security protocols OS X dynamic linker dyld. Esser said the vulnerability is present in Apple's current OS X 10.10.4 and recent beta versions of OS X 10.10.5, but not early builds of OS X 10.11."
  • [quote]That means only downloading from trusted sites like the Mac App Store, Adobe.com, http://Microsoft.com, and well-known developers with solid reputations, and it means being very careful about the links you click in emails, on social networks, and in other forums.[/quote] makes me laugh; why isn't Malwarebytes in the Mac App Store? and how do i know if the software hosted at the so called 'well-known developers with solid reputations' aren't hacked?
  • This, I think Tim also mentioned how each and every app is curated by hand some time too. Mind you nothing is 100%.
  • So should I say "bye Apple" and stop using my Macbook Air and be like that security guy you wrote about? You don't like fud but it's very easy to spread. And yes there is a problem with stagefright on Android and yes there is a problem with updates as well. The point is be aware and remember nothing is 100% safe.
  • But apple and many people claim that mac is free of virus and whatever-ware, not? Posted from my Samsung Galaxy S6
  • Everybody move to BlackBerry... Quick! Posted via the iMore App for Android
  • That might be a good idea.
  • Aw Blackberries. O prefer Apples any day truth be told. Blackberries are so much easier to squeeze though, not much juice left there. A shame. Posted via the iMore App on my iPad Air or iPod Touch 5