Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Swedish hacker finds 'serious' vulnerability in OS X Yosemite

Magnus Aschan | Nov. 3, 2014
A full disclosure is likely to be published in January.

osx yosemite

A white-hat hacker from Sweden says he's found a serious security hole in Apple's Yosemite OS X that could allow an attacker to take control of your computer.

Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability "rootpipe" and has explained how he found it and how you can protect against it.

It's a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system.

It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn't fixed the flaw yet, he says, so Truesec won't provide details yet of how it works.

"It all started when I was preparing for two security events, one in Stockholm and one in Malmö," Kvarnhammar says. "I wanted to show a flaw in Mac OS X but relatively few have been published. There are a few 'proof of concepts' online, but the latest I found affected the older 10.8.5 version of OS X. I couldn't find anything similar for 10.9 or 10.10."

Mac users tend to keep their OS more up to date than Windows users, he says, and he wanted to find a vulnerability that would affect current users, so he started digging around in the newer versions of OS X.

"I started looking at the admin operations and found a way to create a shell with root privileges," he says. "It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it."

He tested the vulnerability on version 10.8.5 of the OS and got it to work, he says. Then he tried on 10.9 but with no luck.

"I was a bit dejected but continued to investigate," Kvarnhammar said. "There were a few small differences [in later releases] but the architecture was the same. With a few modifications I was able to use the vulnerability in the latest Mac OS X, version 10.10."

When he's trying to find vulnerabilities in an OS, he said, he tries to get a feel for how the developer was thinking. In this case, Apple had migrated and moved some functions, but basically the same flaws remained.

"Normally there are 'sudo' password requirements, which work as a barrier, so the admin cant gain root access without entering the correct password. However, rootpipe circumvents this," he says.

He says he reported the vulnerability to Apple the day after he discovered it.

He didn't get much of a response, he said, which didn't surprise him given Apple's policy of not confirming vulnerabilities. But because Apple agreed to a date when he can publish details of the flaw, he believes the company indirectly confirmed it.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.