Swedish hacker finds 'serious' vulnerability in OS X Yosemite

A full disclosure is likely to be published in January

Emil Kvarnhammar says he's found a serious security hole in Apple's Yosemite OS X.

Emil Kvarnhammar says he's found a serious security hole in Apple's Yosemite OS X.

A white-hat hacker from Sweden says he's found a serious security hole in Apple's Yosemite OS X that could allow an attacker to take control of your computer.

Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability "rootpipe" and has explained how he found it and how you can protect against it.

It's a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system.

It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn't fixed the flaw yet, he says, so Truesec won't provide details yet of how it works.

"It all started when I was preparing for two security events, one in Stockholm and one in Malmö," Kvarnhammar says. "I wanted to show a flaw in Mac OS X but relatively few have been published. There are a few 'proof of concepts' online, but the latest I found affected the older 10.8.5 version of OS X. I couldn't find anything similar for 10.9 or 10.10."

Mac users tend to keep their OS more up to date than Windows users, he says, and he wanted to find a vulnerability that would affect current users, so he started digging around in the newer versions of OS X.

"I started looking at the admin operations and found a way to create a shell with root privileges," he says. "It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it."

He tested the vulnerability on version 10.8.5 of the OS and got it to work, he says. Then he tried on 10.9 but with no luck.

"I was a bit dejected but continued to investigate," Kvarnhammar said. "There were a few small differences [in later releases] but the architecture was the same. With a few modifications I was able to use the vulnerability in the latest Mac OS X, version 10.10."

When he's trying to find vulnerabilities in an OS, he said, he tries to get a feel for how the developer was thinking. In this case, Apple had migrated and moved some functions, but basically the same flaws remained.

"Normally there are 'sudo' password requirements, which work as a barrier, so the admin cant gain root access without entering the correct password. However, rootpipe circumvents this," he says.

He says he reported the vulnerability to Apple the day after he discovered it.

He didn't get much of a response, he said, which didn't surprise him given Apple's policy of not confirming vulnerabilities. But because Apple agreed to a date when he can publish details of the flaw, he believes the company indirectly confirmed it.

"For our part, there was no discussion: we do responsible disclosure," he said. "But we also wanted to announce that we found a serious flaw; there is a big risk here."

"In our dialogue with Apple, we agreed on a date for full disclosure. After this date, we can talk about exactly what we found."

As it stands now, a full disclosure is likely to be published in January.

Apple takes security seriously, he said, though they're sometimes a bit "careful" about the information they publish because they want to give the impression that their software it is as safe as possible. But he said it's naive to think OS X is immune to critical vulnerabilities. Like any complex software, he says, there are inherently numerous flaws.

So how did he come up with the name rootpipe? "I cant get into that too much; I'll get back to you when we can provide more information," he said.

He says there are ways to protect against rootpipe and enhance the security of your Mac generally. Step one is to make sure you're not running the system on a daily basis with an admin account -- that is, one that has admin privileges.

That's tricky since most Macs get set up with only one account on them, and that account has admin privileges. His tip is to create a new account and assign it admin privileges, and call it "admin" or something similar. Then log into the admin account and remove the admin permissions from the other account you'll be using day in and day out.

That means if a hacker takes over the account that's used daily, it won't have the admin permissions, which will limit the harm they can do. For the user, they'll have to enter an admin password when they want to install new software or make some other change, but it might be worth the hassle until the flaw gets fixed.

He also recommends using Apple's FileVault tool, which encrypts the hard drive. The performance hit on the system is minimal, he says, and you probably won't notice it at all.

"This is a great way of protecting your data, especially if your computer gets stolen," he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleMac OSsecuritysoftwareoperating systemsExploits / vulnerabilities

More about AppleMacs

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Magnus Aschan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place