Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability “rootpipe” and has explained how he found it and how you can protect against it. It’s a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system. It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn’t fixed the flaw yet, he says, so Truesec won’t provide details yet of how it works.
There is always one metric these bloggers will NEVER tell you when reporting stories like this. That bugs are triaged based not only on POTENTIAL threat. Potential threat is a combination of severity and ease. Rootpipe may be very severe, but hard to implement, which would put it lower on the potential threat scale, meaning you don’t need to move heaven and earth to patch it.
Also, a lot of these hackers are megalomaniacs, desperate for their 15 minutes of fame, usually with the collaboration of tech bloggers. The ominous “he was initially met with silence” was probably in all reality: It took a couple of days for Apple to reply to the email.
Edited 2014-11-04 04:06 UTC
“a lot of these hackers are megalomaniacs”
translation:
“a lot of [insert stereotype here] are [insulting generalisation]”
Care to provide a reference for your assertion or shall I continue to work on the assumption that you’re an imbecile?
And we could also differentiate the hackers from the crackers, the pirates. And there’s also the nerds, the otakus, the…
Kochise
Yosemite is one big heaping pile of crap…I’ve had nothing but problems on both my real mac and my hackintosh…I’ve extremely displeased.
Edited 2014-11-04 04:11 UTC
The article isn’t clear on that, but it looks to me that the exploit is local, i.e. the attacker needs to already have access to your machine somehow. In which case you have bigger problems than one privilege escalation vulnerability.
Now if your Mac has multiple users with ssh access, then it’s serious since any of those could elevate their privileges. But machines like this usually run Linux or some other kind of Unix, not OS X.
it could perhaps be exploited though the network services that OSX offers, like cups or the http server.
All we could assert is pure speculation given the restraint on the disclosure.
Usually, but I know a ton of Mac guys at work that build their servers out of Macs, just ’cause.
I wish people would stop spreading this falsehood. Local exploits only means that the attacker needs to be able to run a process locally on the machine, not that he needs to be physically at the console.
This is a privilege escalation and what it means is that it only takes one simple bug in Firefox or Safari (and there have been and will be plenty) to PWN your machine.
How often do we hear fanbois proclaim that “it’s the users own fault because installing this malware will prompt for admin password”. Guess what – all those vulnerabilities dismissed as “not serious” suddenly becomes total machine ownage when combined with this one.
Local privilege vulnerabilities are serious. Attackers are sophisticated and (above all) persistent. If they find a vuln in Safari (or simply reverse engineer from Googles patches as Apple is always notoriously behind) they may “sit” on it until an opportunity like this one appears.
To be clear: This isn’t different from any other OS. Local privilege escalations are always only one other vuln from becoming system pwnage.
I know, but my point is that a desktop Mac doesn’t run that many services.
Neither does a properly set up desktop Linux for that matter. Not sure how annoying the defaults are this week.