Mac malware that relied on a security exploit so small it fitted in a tweet has been upgraded to infect OS X machines after Apple closed that particular hole.
The malware once used the patched OS X DYLD_PRINT_TO_FILE vulnerability that grants attackers root privilege escalation through trivial code. This was fixed in the OS X El Capitan beta and the latest stable version of OS X – version 10.10.5.
So the updated version of the malware now throws a fleeting installer request to access the OS X keychain and simulate a click on the "allow" button before the user can prevent the installation.
MalwareBytes researcher Thomas Reed said that this grants access to the Safari Extensions List, but could grant attackers access to iCloud accounts and other keychain data.
"More concerning, though, is the question of what’s to stop this adware from accessing other confidential keychain information like passwords?" Reed added.
"With a few minor changes, the adware could get access to other things from the keychain, like the user’s iCloud password. The user may be made suspicious by the window flashing up then disappearing, but may not know what the full implications of that are or what to do about it."
It could also be an attempt to develop mitigations for the better security controls in the upcoming El Capitan OS X release.
The malware will deposit other ad-injecting and scareware crap on OS X lawns while messing with the keychain, Reed said.
Webroot researcher Devin Byrd said a similar variant had been found messing with the popular AdBlock extension to ensure its injected advertisements will not be blocked. ®