New privilege escalation exploit discovered in OS X Yosemite, also affects just-released 10.10.5

Posted:
in macOS edited September 2015
Just days after patching the DYLD_PRINT_TO_FILE vulnerability with a new OS X point release, Apple's desktop operating system has been hit with yet another zero-day exploit that would allow an attacker to gain root access without using a password.


Luca Todesco on Twitter


The exploit was discovered by Italian developer Luca Todesco, who relies on a combination of attacks --?including a null pointer dereference in OS X's IOKit --?to drop a proof-of-concept payload into a root shell. It affects every version of OS X Yosemite, but seems to have been mitigated in OS X El Capitan, which is nearing release.

Todesco did not disclose the problem to Apple before sharing it publicly early Sunday, so it remains to be seen how quickly the company will respond.

Many computer security researchers condemn such reckless action, arguing that companies should be given time to issue patches for bugs that could harm consumers, while others have become frustrated at the slow pace of response. Apple has a somewhat checkered past with OS X security updates, but has shown improvement in recent months --?the company patched the DYLD vulnerability less than a month after disclosure.

Apple has also taken steps to harden its operating system against attacks, announcing that OS X El Capitan would ship with a new security feature called "rootless." Rootless is designed to restrict third-party applications from modifying certain parts of the system -- even if they are running as root --?in a manner similar to the more aggressive sandboxing in iOS.
«1345

Comments

  • Reply 1 of 92
    Is it safe to turn my computer off? Please advise soonest.
  • Reply 2 of 92

    I'm tired of exploits

  • Reply 3 of 92
    revenantrevenant Posts: 621member
    These exploits are annoying, but glad someone is sharing it. And this is the closest to an unbiased report I have read.
  • Reply 4 of 92
    MacProMacPro Posts: 19,505member
    revenant wrote: »
    These exploits are annoying, but glad someone is sharing it. And this is the closest to an unbiased report I have read.

    Really? Wouldn't you have preferred he shared with Apple first?
  • Reply 5 of 92
    revenant wrote: »
    These exploits are annoying, but glad someone is sharing it. And this is the closest to an unbiased report I have read.

    Really? Wouldn't you have preferred he shared with Apple first?

    I'm with digitalclips on this one. Not notifying the software author first, and giving them some time to release a patch before public disclosure, is pure asshattery, in my opinion.
  • Reply 6 of 92
    Apple should deny this rogue developer all access to the developer site en revoke huis developer account.
  • Reply 7 of 92
    rob53rob53 Posts: 3,057member

    All I'm reading is that the exploit would allow something. I'm not going to test it but it would be helpful if someone actually did validate this exploit and mentioned whether they could replicate it. I clicked on the link and it goes to GitHub with only a short comment. I also think the programmer should have warned Apple instead of simply posting it on GitHub for the world of hackers to see.

     

    What interests me more is the comment about rootless in 10.11. "Rootless is designed to restrict third-party applications from modifying certain parts of the system -- even if they are running as root -- in a manner similar to the more aggressive sandboxing in iOS." I see this as affecting every single system utility application, many of which aren't available on the App Store because they need to act as root to do their job. 

  • Reply 8 of 92
    If someone figured out Luca Todesco's passwords and PIN numbers, would it be ethical to tell him first or would it be okay to post that information on GitHub first?
  • Reply 9 of 92
    If someone figured out Luca Todesco's passwords and PIN numbers, would it be ethical to tell him first or would it be okay to post that information on GitHub first?

    Either way, he needs to be arrested and thrown into a cell with all the other terrorists in Gitmo. /????
  • Reply 10 of 92
    solipsismysolipsismy Posts: 5,099member
    Todesco did not disclose the problem to Apple before sharing it publicly early Sunday

    Dick!

    rob53 wrote: »
    All I'm reading is that the exploit would allow something.

    If you have access to root don't you then have access to all everything?
  • Reply 11 of 92
    solipsismy wrote: »
    Dick!
    If you have access to root don't you then have access to all everything?

    Good thing I never upgraded from Mavericks. /s
  • Reply 12 of 92
    Does anybody know how this might actually work? Is physical access required to the machine? Do I have to click on something in an email attachment? Or is it sufficient to just be online?
  • Reply 13 of 92
    Quote:

    Originally Posted by digitalclips View Post

     
    Quote:

    Originally Posted by revenant View Post



    These exploits are annoying, but glad someone is sharing it. And this is the closest to an unbiased report I have read.




    Really? Wouldn't you have preferred he shared with Apple first?

    I agree. You have to go straight to the company first. The company might already be working on a fix after all.

  • Reply 14 of 92
    Awaiting the inevitable contrarians to show up and do their anti-Apple troll dance.
  • Reply 15 of 92

    You need to be logged into the machine.  If you are logged in, then you can create a new executable that, when run, gives you root access.  I took a look at the software, and it is pretty straightforward.  So the danger is not that someone outside can get into your machine: the danger is that anyone who has physical access to your machine can take it over.

     

    So if your machine is in your home, stop worrying.  If your machine is in a public area where anyone can use it, yes, it can be fairly easily compromised by downloading the source code in github, typing a few command lines, and running it.

  • Reply 16 of 92
    deb2319 wrote: »
    You need to be logged into the machine.  If you are logged in, then you can create a new executable that, when run, gives you root access.  I took a look at the software, and it is pretty straightforward.  So the danger is not that someone outside can get into your machine: the danger is that anyone who has physical access to your machine can take it over.

    So if your machine is in your home, stop worrying.  If your machine is in a public area where anyone can use it, yes, it can be fairly easily compromised by downloading the source code in github, typing a few command lines, and running it.

    Thank you.
  • Reply 17 of 92
    His developer account should be revoked for this.
  • Reply 18 of 92
    lkrupplkrupp Posts: 10,160member
    Quote:
    Originally Posted by WonkoTheSane View Post



    Does anybody know how this might actually work? Is physical access required to the machine? Do I have to click on something in an email attachment? Or is it sufficient to just be online?



    Don’t worry about it. Just keep using common sense when downloading software. Download only from trusted sources and companies like the App Store. Don’t click on anything that promises magical things. If it sounds too good to be true it IS. Like all the other chicken little reports about these things they rarely actually materialize to become a major problem.

     

    Above all don’t listen to the paranoid crowd’s predictions of the Apocalypse. They show up here every time one of these reports gets out, wringing their hands and running around with their hair on fire. Truth is hackers these days are in it for the money. They like attacking corporations where the ROI is highest. Individual’s machines not so much because the data is of limited value. It’s not like the old days where hackers did their thing for the glory of their reputations. Today hacking is a business model.

  • Reply 19 of 92
    lkrupp wrote: »

    Don’t worry about it. Just keep using common sense when downloading software. Download only from trusted sources and companies like the App Store. Don’t click on anything that promises magical things. If it sounds too good to be true it IS. Like all the other chicken little reports about these things they rarely actually materialize to become a major problem.

    Above all don’t listen to the paranoid crowd’s predictions of the Apocalypse. They show up here every time one of these reports gets out, wringing their hands and running around with their hair on fire. Truth is hackers these days are in it for the money. They like attacking corporations where the ROI is highest. Individual’s machines not so much because the data is of limited value. It’s not like the old days where hackers did their thing for the glory of their reputations. Today hacking is a business model.

    I think you have a point regarding hacking being a business model mainly these days.

    Actually, since my first IIe I never had any sort of virus or Trojan on my various apple machines. And I'm not so much worried. Just these articles often don't draw the full picture leaving you in the dark as to how serious this threat is in real life at home or work.

    Somehow, though, all those phishing emails must work to a degree, otherwise this "business model" would already have stopped working.
  • Reply 20 of 92
    Quote:

    Originally Posted by Suddenly Newton View Post



    Awaiting the inevitable contrarians to show up and do their anti-Apple troll dance.

     

    Is your comment is some kind of defensive shield magic?  For who?  Help me understand why your kind of comment is posted.  It says that criticism of Apple in any form should be considered enemy fire.

Sign In or Register to comment.