Update your Mac: Apple fixes major flaw in OS X Yosemite, but won't patch Lion, Mountain Lion or Mav

Posted:
in macOS edited June 2015
A serious vulnerability present in every iteration of Apple's desktop operating system since OS X 10.7 --?one which allows any user process to gain root privileges --?was disclosed to the public on Thursday following the release of OS X 10.10.3, which addresses the issue, and users are urged to update as older OS X versions will remain susceptible to attack.




The problem revolves around an unpublished OS X API used by system processes, like System Preferences, for privilege escalation. TrueSec's Emil Kvarnhammar discovered that any OS X user, whether or not their account possesses administrative rights, could gain root access by exploiting this API.

This presents a critical security threat for users of unpatched OS X versions. Users who unwittingly install malware containing exploit code could hand over complete control of their Mac to the attacker, no matter what other security precautions they may have taken.

As a result, OS X users are urged to upgrade to Yosemite version 10.10.3 as soon as possible. Apple will not patch versions older than 10.10, reportedly due to the complexity of the fix.

For users running OS X 10.10, 10.10.1, or 10.10.2, a patch for this bug is included in Security Update 2015-004.

Kvarnhammar first discovered the vulnerability in OS X Mavericks last October, and reported it to Apple immediately. The company asked Kvarnhammar to postpone public disclosure --?which generally occurs within 90 days of discovery -- "due to the amount of changes required in OS X," and a full fix was not implemented until this week.
«13456

Comments

  • Reply 1 of 102
    desuserigndesuserign Posts: 1,316member

    As a result, OS X users are urged to upgrade to Yosemite version 10.10.3 as soon as possible. Apple <em>will not</em> patch versions older than 10.10, reportedly due to the complexity of the fix.

    I certainly hope they reconsider their position on this.
  • Reply 2 of 102
    SpamSandwichSpamSandwich Posts: 33,408member

    There's just no way I'll upgrade to Yosemite at this point. The bashing of Photos alone has convinced me to wait longer, however many other issues have more than convinced me that Yosemite isn't for me yet.

  • Reply 3 of 102
    SpamSandwichSpamSandwich Posts: 33,408member
    Quote:

    Originally Posted by DESuserIGN View Post





    I certainly hope they reconsider their position on this.



    Also, where's the source for definitive evidence that this vulnerability will not be addressed by Apple?

  • Reply 4 of 102
    bobjohnsonbobjohnson Posts: 154member
    Quote:

    Originally Posted by SpamSandwich View Post

     



    Also, where's the source for definitive evidence that this vulnerability will not be addressed by Apple?


     

    Quoted from TrueSec: "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."

  • Reply 5 of 102
    SpamSandwichSpamSandwich Posts: 33,408member
    Quote:

    Originally Posted by BobJohnson View Post

     

     

    Quoted from TrueSec: "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."




    And has anyone independently verified this?

  • Reply 6 of 102
    just_mejust_me Posts: 590member
    No love for the cats
  • Reply 7 of 102
    bobjohnsonbobjohnson Posts: 154member
    Quote:

    Originally Posted by SpamSandwich View Post

     



    And has anyone independently verified this?


     

    It's a direct quote from the researcher who discovered the problem and worked with Apple's security team to fix it. What more confirmation do you want? 

     

    There's also this: https://support.apple.com/en-us/HT204659

     

    Quote:


    • Admin Framework

      Available for: OS X Yosemite v10.10 to v10.10.2

      Impact: A process may gain admin privileges without properly authenticating

      Description: An issue existed when checking XPC entitlements. This issue was addressed with improved entitlement checking.

      CVE-ID

      CVE-2015-1130 : Emil Kvarnhammar at TrueSec



  • Reply 8 of 102
    just_mejust_me Posts: 590member

    And has anyone independently verified this?

    I too would like to know how to use the api to test
  • Reply 9 of 102
    I'm sure Daniel Eran Dilger will be all over this as he is with Android flaws /s
  • Reply 10 of 102
    Quote:
    Originally Posted by SpamSandwich View Post

     

    There's just no way I'll upgrade to Yosemite at this point. The bashing of Photos alone has convinced me to wait longer, however many other issues have more than convinced me that Yosemite isn't for me yet.


     

    Seriously, those railing on the new system and refusing to move to it are missing out on heaps of benefits. So Photos doesn't live up to some people's expectations. Whoopdeedoo. It's not like there's no other options for them.

     

    The security and performance benefits alone are a great reason to upgrade. The fact it's FREE to do so shouldn't even be a reason to not upgrade.

     

    Frankly you deserve to  have someone gain root access to your machine.

  • Reply 11 of 102
    This is one of those times I'm glad to still be on Snow Leopard!
  • Reply 12 of 102
    decondodecondo Posts: 21member

    Thanks Apple. Guess you'll do almost anything to get me to use the ugly new operating system!

  • Reply 13 of 102
    Quote:

    Originally Posted by Darryn Lowe View Post

     



    Then you're an idiot.

     

    Seriously, those railing on the new system and refusing to move to it are missing out on heaps of benefits. So Photos doesn't live up to some people's expectations. Whoopdeedoo. It's not like there's no other options for them.

     

    The security and performance benefits alone are a great reason to upgrade. The fact it's FREE to do so shouldn't even be a reason to not upgrade.

     

    Frankly you deserve to  have someone gain root access to your machine.




    Sorry but there's too many flaws and things about Yosemite that I don't like about it to upgrade. Photos is just one of them. The OP is hardly an "idiot" as you ascribe to him.

  • Reply 14 of 102

    I wish they'd bring this back to Lion, seeing the number of machines they orphaned on it.

  • Reply 15 of 102
    asdasdasdasd Posts: 5,670member
    Root escalations mean something to computers set up with muti users. Meaningless to most users.

    If you want real protection download sandboxed apps from the Mac store only and turn that setting on to disable everything else.
  • Reply 16 of 102
    Quote:
    Originally Posted by King Editor the Grate View Post



    This is one of those times I'm glad to still be on Snow Leopard!



    Hah, I just flashed my Mini 1,1 (HTPC) to push it to Lion for iTunes 12. Sadly all but one of my Intel Macs is on Lion.

     

     

    Quote:

    Originally Posted by Lord Amhran View Post

     



    Sorry but there's too many flaws and things about Yosemite that I don't like about it to upgrade. Photos is just one of them. The OP is hardly an "idiot" as you ascribe to him.




    You're one of those "oh the UI changed I hates it!" people?

  • Reply 17 of 102
    asdasdasdasd Posts: 5,670member

    Sorry but there's too many flaws and things about Yosemite that I don't like about it to upgrade. Photos is just one of them. The OP is hardly an "idiot" as you ascribe to him.

    Yosemite is fine now. As are all 10.N.x releases where x > 0.
  • Reply 18 of 102
    habihabi Posts: 317member
    I have 4 macs without even 1 in yosemite. I think I will follow this closely. Depending on apples moves to determine which operation system will be on my next new machine. It would be sad to dump Apple, but if they leave me no chose with teir security policies then so be it.
  • Reply 19 of 102
    SpamSandwichSpamSandwich Posts: 33,408member
    Quote:

    Originally Posted by Lord Amhran View Post

     



    Sorry but there's too many flaws and things about Yosemite that I don't like about it to upgrade. Photos is just one of them. The OP is hardly an "idiot" as you ascribe to him.


     

    Thanks for the comment. The "block" feature is really getting a workout here recently on posters unwilling to engage in rational discussion. It's always been a bit of a mix of real discussions and emotional outbursts, but my tolerance for the latter has reached an all-time low.

  • Reply 20 of 102
    Quote:

    Originally Posted by TheWhiteFalcon View Post

     



    Hah, I just flashed my Mini 1,1 (HTPC) to push it to Lion for iTunes 12. Sadly all but one of my Intel Macs is on Lion.

     

     



    You're one of those "oh the UI changed I hates it!" people?




    Not that I hate it per say but it's a jolt for sure. I'm going to the Apple Store near me later today for some Genius appointment and some other things so I'll play around with it a bit further to see how it is.

Sign In or Register to comment.