Dynamic linkers trusting variables during setuid operation has long been a place known to be security-sensitive (or alternatively a fruitful source of privilege escalation bugs; see CVE-2010-3847 re LD_AUDIT, http://seclists.org/bugtraq/2004/Aug/281 re LD_DEBUG, CVE-1999-1182 (!) re LD_DEBUG, etc.). The bug had never been particularly hidden from those with a malicious eye.
Frankly, I find myself reading dyld's source code every so often when tracking down something or another with OS X program loading. I'm not saying I would have caught it, but I'm pretty sure I'm not the only one who reads it non-maliciously.
Furthermore, it was fixed in 10.11 betas, so Apple themselves already knew about it [edit: apparently not]:
Repost from the comments in the original article indicates it may have be fixed because apple changed something in the way it handles permissions.
>EdisonCarter 3 days ago
>It's only really "fixed" in El Capitan as a side effect of
Apple introducing the new - and widely reported -
"rootless" security feature which introduces fine grained file permissions.
Frankly, I find myself reading dyld's source code every so often when tracking down something or another with OS X program loading. I'm not saying I would have caught it, but I'm pretty sure I'm not the only one who reads it non-maliciously.
Furthermore, it was fixed in 10.11 betas, so Apple themselves already knew about it [edit: apparently not]:
https://twitter.com/i0n1c/status/624103245233917952