Hacker finds 'serious' vulnerability in OS X Yosemite

Discussion in 'OS X Yosemite (10.10)' started by iRoRo, Oct 31, 2014.

  1. iRoRo macrumors regular

    iRoRo

    Joined:
    Oct 29, 2013
    Location:
    UK
  2. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #2
    https://www.youtube.com/watch?v=fCQg2I_pFDk

    Truce's own material states up to Beta 6 affected but doesn't confirm the General release is affected....?

    He states: "there are ways to protect against rootpipe and enhance the security of your Mac generally. Step one is to make sure you’re not running the system on a daily basis with an admin account—that is, one that has admin privileges."

    So it seems to need an account running that already has admin rights???
     
  3. grahamperrin, Nov 1, 2014
    Last edited: Nov 1, 2014

    grahamperrin macrumors 601

    grahamperrin

    Joined:
    Jun 8, 2007
    #3
    Please clarify the observation of what was read

    Macworld states that the vulnerability "… affects the newest OS X release, version 10.10".

    Does your question mean that you cannot tell – from the video and/or Truce's material – whether anyone other than Magnus Aschan (Macworld) associates the vulnerability with the released build of the operating system?

    Please summarise/clarify – thanks.

    ----

    Side note: if it's the same type of vulnerability that I reported to Apple, which affected multiple releases of the operating system at the time, it's feasible that what I reported could be used for escalation of privileges. If I recall correctly: when I last tested, a few months before WWDC 2014, it did affect Mavericks. In the Macworld article I see "…tried on 10.9 but with no luck. …" but that's not definitive enough for me to tell whether it's different from what I reported (and I don't expect Emil Kvarnhammar to divulge further details – responsible disclosure, and so on). I don't plan to test the released build of 10.10 – sorry.
     
  4. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #4
    Truce's page with the video only refer's to Beta 6, it doesn't mention the release build at all either way, shame as I was hoping that was a more direct source.
     
  5. iRoRo thread starter macrumors regular

    iRoRo

    Joined:
    Oct 29, 2013
    Location:
    UK
    #5
    Given the published date and time on macworld (Oct 31, 2014 10:14 AM) and the following statement:

    'It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn’t fixed the flaw yet, he says, so Truesec won’t provide details yet of how it works.'

    I would think it's for the current final version as well as the beta's prior to it.
     
  6. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #6
    Yes but the media and Truesec have a vested interest in it "affecting the latest release", it would be nice if they confirmed it either way. As they specifically listed Beta 6 but no further it leaves it in doubt whether Apple may already have fixed the issue or it may effectively give us the release of 10.10.1....
     

Share This Page