Update your Mac: Apple fixes major flaw in OS X Yosemite, but won't patch Lion, Mountain Lion or Mav
A serious vulnerability present in every iteration of Apple's desktop operating system since OS X 10.7 --?one which allows any user process to gain root privileges --?was disclosed to the public on Thursday following the release of OS X 10.10.3, which addresses the issue, and users are urged to update as older OS X versions will remain susceptible to attack.
The problem revolves around an unpublished OS X API used by system processes, like System Preferences, for privilege escalation. TrueSec's Emil Kvarnhammar discovered that any OS X user, whether or not their account possesses administrative rights, could gain root access by exploiting this API.
This presents a critical security threat for users of unpatched OS X versions. Users who unwittingly install malware containing exploit code could hand over complete control of their Mac to the attacker, no matter what other security precautions they may have taken.
As a result, OS X users are urged to upgrade to Yosemite version 10.10.3 as soon as possible. Apple will not patch versions older than 10.10, reportedly due to the complexity of the fix.
For users running OS X 10.10, 10.10.1, or 10.10.2, a patch for this bug is included in Security Update 2015-004.
Kvarnhammar first discovered the vulnerability in OS X Mavericks last October, and reported it to Apple immediately. The company asked Kvarnhammar to postpone public disclosure --?which generally occurs within 90 days of discovery -- "due to the amount of changes required in OS X," and a full fix was not implemented until this week.
The problem revolves around an unpublished OS X API used by system processes, like System Preferences, for privilege escalation. TrueSec's Emil Kvarnhammar discovered that any OS X user, whether or not their account possesses administrative rights, could gain root access by exploiting this API.
This presents a critical security threat for users of unpatched OS X versions. Users who unwittingly install malware containing exploit code could hand over complete control of their Mac to the attacker, no matter what other security precautions they may have taken.
As a result, OS X users are urged to upgrade to Yosemite version 10.10.3 as soon as possible. Apple will not patch versions older than 10.10, reportedly due to the complexity of the fix.
For users running OS X 10.10, 10.10.1, or 10.10.2, a patch for this bug is included in Security Update 2015-004.
Kvarnhammar first discovered the vulnerability in OS X Mavericks last October, and reported it to Apple immediately. The company asked Kvarnhammar to postpone public disclosure --?which generally occurs within 90 days of discovery -- "due to the amount of changes required in OS X," and a full fix was not implemented until this week.
Comments
I certainly hope they reconsider their position on this.
There's just no way I'll upgrade to Yosemite at this point. The bashing of Photos alone has convinced me to wait longer, however many other issues have more than convinced me that Yosemite isn't for me yet.
I certainly hope they reconsider their position on this.
Also, where's the source for definitive evidence that this vulnerability will not be addressed by Apple?
Also, where's the source for definitive evidence that this vulnerability will not be addressed by Apple?
Quoted from TrueSec: "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."
Quoted from TrueSec: "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."
And has anyone independently verified this?
And has anyone independently verified this?
It's a direct quote from the researcher who discovered the problem and worked with Apple's security team to fix it. What more confirmation do you want?
There's also this: https://support.apple.com/en-us/HT204659
Admin Framework
Available for: OS X Yosemite v10.10 to v10.10.2
Impact: A process may gain admin privileges without properly authenticating
Description: An issue existed when checking XPC entitlements. This issue was addressed with improved entitlement checking.
CVE-ID
CVE-2015-1130 : Emil Kvarnhammar at TrueSec
I too would like to know how to use the api to test
There's just no way I'll upgrade to Yosemite at this point. The bashing of Photos alone has convinced me to wait longer, however many other issues have more than convinced me that Yosemite isn't for me yet.
Seriously, those railing on the new system and refusing to move to it are missing out on heaps of benefits. So Photos doesn't live up to some people's expectations. Whoopdeedoo. It's not like there's no other options for them.
The security and performance benefits alone are a great reason to upgrade. The fact it's FREE to do so shouldn't even be a reason to not upgrade.
Frankly you deserve to have someone gain root access to your machine.
Thanks Apple. Guess you'll do almost anything to get me to use the ugly new operating system!
Then you're an idiot.
Seriously, those railing on the new system and refusing to move to it are missing out on heaps of benefits. So Photos doesn't live up to some people's expectations. Whoopdeedoo. It's not like there's no other options for them.
The security and performance benefits alone are a great reason to upgrade. The fact it's FREE to do so shouldn't even be a reason to not upgrade.
Frankly you deserve to have someone gain root access to your machine.
Sorry but there's too many flaws and things about Yosemite that I don't like about it to upgrade. Photos is just one of them. The OP is hardly an "idiot" as you ascribe to him.
I wish they'd bring this back to Lion, seeing the number of machines they orphaned on it.
If you want real protection download sandboxed apps from the Mac store only and turn that setting on to disable everything else.
This is one of those times I'm glad to still be on Snow Leopard!
Hah, I just flashed my Mini 1,1 (HTPC) to push it to Lion for iTunes 12. Sadly all but one of my Intel Macs is on Lion.
Sorry but there's too many flaws and things about Yosemite that I don't like about it to upgrade. Photos is just one of them. The OP is hardly an "idiot" as you ascribe to him.
You're one of those "oh the UI changed I hates it!" people?
Yosemite is fine now. As are all 10.N.x releases where x > 0.
Sorry but there's too many flaws and things about Yosemite that I don't like about it to upgrade. Photos is just one of them. The OP is hardly an "idiot" as you ascribe to him.
Thanks for the comment. The "block" feature is really getting a workout here recently on posters unwilling to engage in rational discussion. It's always been a bit of a mix of real discussions and emotional outbursts, but my tolerance for the latter has reached an all-time low.
Hah, I just flashed my Mini 1,1 (HTPC) to push it to Lion for iTunes 12. Sadly all but one of my Intel Macs is on Lion.
You're one of those "oh the UI changed I hates it!" people?
Not that I hate it per say but it's a jolt for sure. I'm going to the Apple Store near me later today for some Genius appointment and some other things so I'll play around with it a bit further to see how it is.