DYLD_PRINT_TO_FILE and malware: What you need to know


DYLD_PRINT_TO_FILE is an OS X 10.10 Yosemite vulnerability that could allow malicious code on your Mac to escalate its privileges—gain "root" access—and potentially exploit the system. Now an anti-malware company named Malwarebytes has reported finding just such an exploit "in the wild", meaning it's already being used to try and install malware on Macs.

What does the malware do?

The malware uses DYLD_PRINT_TO_FILE to modify "sudoers"—a file that controls what commands can be run on your Mac, and what passwords are needed to run them, and by whom—so it can launch VSInstaller, which then installs junkware.

Has Apple patched the problem?

DYLD_PRINT_TO_FILE has already been patched in the OS X 10.11 El Capitan beta and in the OS X 10.10.5 beta. While El Capitan is only coming later this fall, OS X 10.10.5 should be imminent.

What else can and has Apple done?

It looks like Apple has already revoked the certificate used for the junkware, so Gatekeeper—Apple's system that blocks untrusted software—will prevent it from being launched without explicit user intervention. It also looks like Apple has at least begun to update OS X's automatic anti-malware definitions to recognize and reject the junkware, so it won't be able to be installed at all.

What do certificates and definitions have to do with this?

Effective security comes in layers. Properly fixing and testing patches takes time, and not everyone updates immediately. Given those realities, the ability to revoke certificates and add signature, when coupled with technologies like Gatekeeper and built-in anti-malware, helps prevent malicious code for executing even if it does make it onto an un-patched system.

OS X El Capitan technologies like System Integrity Protection will take this even further by limiting the harm an exploit could cause even if it did manage to escalate its privileges to root.

Apple also provides the Mac App Store as a safer and more secure place to download software from, so OS X customers aren't left to internet download sites that are typically strewn with junkware and malware.

Do I need to worry about this malware?

Malware is a problem. OS X 10.10.5 and the DYLD_PRINT_TO_FILE patch needs to be released as fast as engineering and quality assurance allows, and when it is, we need to update asap. In the meantime certificates need to be revoked and malware definitions updated just as soon as new exploits are discovered.

But malware exists well beyond DYLD_PRINT_TO_FILE. If you download files from places you can't trust, you're at high risk of getting junkware and potentially worse on your Mac. Apple needs to fix bugs when they're discovered, and needs to keep putting as many blockades in the way of malicious software as the company can, but we need to do our part as well.

That means only downloading from trusted sites like the Mac App Store, Adobe.com, http://Microsoft.com, and well-known developers with solid reputations, and it means being very careful about the links you click in emails, on social networks, and in other forums.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.