There is an issue that affects the newest version of OS X — version 10.10, or Yosemite — which could allow attackers to gain complete control of the target’s Mac machine, a researcher said.
It’s a privilege escalation bug TrueSec researcher Emil Kvarnhammar called Rootpipe, but declined to explain why, as the explanation could reveal details that would help attackers find it and create an exploit.
The existence of the flaw ended up indirectly confirmed by Apple when they asked the researcher to delay publishing details about it until January 2015, after a fix for the bug releases and ends up pushed out to users.
Kvarnhammar said he found the flaw while preparing for two security events at which he wanted to demonstrate one. As not many proof of concepts for OS X bugs end up published and most affect older versions of the OS, he thought he would try to find one himself.
He found one after only a few days of binary analysis. “I started looking at the admin operations and found a way to create a shell with root privileges,” he said.
“Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can’t gain root access without entering the correct password. However, Rootpipe circumvents this.”
The flaw is present in OS X versions 10.8, 10.9 and 10.10 (Beta 6), and TrueSec released a demo of the exploit.
Users can protect themselves by setting up a new account without administrative permissions and use that one until a patch for the flaw releases, Kvarnhammar said.