Now It's Apple's Turn to Face the DLL Threat

By CIOReview | Wednesday, March 25, 2015

FREMONT, CA: Dynamic Link Library (DLL) hijacking is back now, to haunt Apple’s Mac OS X after tormenting Windows more than a decade ago.

Peter Wardle, Research Director at Synack –a security intelligence company –has said that DLL hijacking can be used to bypass OS X’s multiple layers of security and he presented his research on the topic, at  a recent security conference.

DLL highjacking is a process by which malicious code is injected into an application through a malicious DLL with the same name as a DLL used by the application; the application’s vulnerability to highjack depends on the referencing of DLLs. Sean Michael Kerner, for eWeek reports that Wardle had submitted the bug report to Apple and did not receive any response initially but resubmission of the same was rewarded with an automated one.

Wardle said that Apple’s built-in anti-malware technology –Gatekeeper –was no exception to the threat. He informed that the Python script written by him to test the vulnerability of applications, had found over 150 binaries susceptible to the threat of dylib highjacking attacks. Speaking on the nature of the threat, he said that they are stealthy and could take advantage of functionality and could make it an arduous task to strive against them.

Further, he said that the threat could be made persistent and would initiate every time the user boots the system. Infecting the code was possible as some software was downloaded over HTTP, instead of HTTPS which is considered more secure.

In addition to this, he also said that this attack was tested against all Mac products and none of them managed to detect the threat. "Apple could change the dynamic loader such that when a signed application is loaded, it will only load DLLs that are signed by the same company or developer," Wardle said. "For users, there is no reason why companies should have software downloads over HTTP, as they are trivially easy to intercept." he added.