Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Swedish hacker finds 'serious' vulnerability in OS X Yosemite

Magnus Aschan | Nov. 3, 2014
A full disclosure is likely to be published in January.

"For our part, there was no discussion: we do responsible disclosure," he said. "But we also wanted to announce that we found a serious flaw; there is a big risk here."

"In our dialogue with Apple, we agreed on a date for full disclosure. After this date, we can talk about exactly what we found."

As it stands now, a full disclosure is likely to be published in January.

Apple takes security seriously, he said, though they're sometimes a bit "careful" about the information they publish because they want to give the impression that their software it is as safe as possible. But he said it's naive to think OS X is immune to critical vulnerabilities. Like any complex software, he says, there are inherently numerous flaws.

So how did he come up with the name rootpipe? "I cant get into that too much; I'll get back to you when we can provide more information," he said.

He says there are ways to protect against rootpipe and enhance the security of your Mac generally. Step one is to make sure you're not running the system on a daily basis with an admin account -- that is, one that has admin privileges.

That's tricky since most Macs get set up with only one account on them, and that account has admin privileges. His tip is to create a new account and assign it admin privileges, and call it "admin" or something similar. Then log into the admin account and remove the admin permissions from the other account you'll be using day in and day out.

That means if a hacker takes over the account that's used daily, it won't have the admin permissions, which will limit the harm they can do. For the user, they'll have to enter an admin password when they want to install new software or make some other change, but it might be worth the hassle until the flaw gets fixed.

He also recommends using Apple's FileVault tool, which encrypts the hard drive. The performance hit on the system is minimal, he says, and you probably won't notice it at all.

"This is a great way of protecting your data, especially if your computer gets stolen," he says.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.