Apple To Patch DYLD Security Bug As Concern Over Firmware Flaw Mounts

In its next security update, Apple plans to patch a security vulnerability that enables outsiders to install malicious software on a Mac computer without a password, the company said. But the exploit, which Apple said will be fixed “as soon as possible,” is another reminder that the legendary Mac security is no longer bulletproof.

The “privilege escalation” bug, first reported Monday and known as DYLD, makes it possible for hackers to install adware applications on a laptop or desktop without the owner's authorization. Research from the cybersecurity firm Malwarebytes indicated that at least one adware installer has already started, using the zero-day exploit, to modify victims' files. Now, though, the Guardian reports that Apple plans to patch the issue in the next operating system, OS X 10.10.5, and will blacklist apps found to be using the exploit.

Apple's promise to fix the security issue comes amid revelations around Thunderstrike 2, a computer worm that can spread between Macs that aren't even sharing the same network. The malware infects an initial machine through a phishing link, then spreads via devices that plug into different computers (Ethernet cables, for example). Xeno Kovah and Corey Kallenberg, the researchers who invented Thunderstrike 2, said the only way to scrub an infected machine is essentially to dispose of it.

“[The attack] is really hard to detect. ... It's really hard to get rid of,” Kovah told Wired, adding that the worm embeds into a computer's firmware, the software that loads the operating system upon startup. “It's really hard to protect against something that's running inside the firmware. ... For most users that's really a throw-your-machine-away kind of situation.”