New OS X 10.10.5 Privilege Escalation Vulnerability Discovered

[cbott]

How did this article get through @MacRumors? I understand you used Apple Insider as your source but I had hoped you would do a little more checking before simply reposting...

The screenshot clearly shows Darwin Kernel Version 14.4.0 which is part of OS X 10.10.4 and prior. The 10.10.5 update has Darwin Kernel Version 14.5.0. Download the update, install, open terminal and type in 'uname -a' to check for yourself. I'm not saying there isn't a vulnerability somewhere in the update, but I am saying the vulnerability this screenshot depicts may not exist in OS X 10.10.5.

 

[Rigby]

... Actually, my situation is a bit better because my secret stuff is encrypted in my keychain, root access or not, and I lock it. What more can they do with root access, wipe out my OS? Big deal.

For example, install a keylogger, which will record your password, which in turn will give the attacker full access to your keychain. Privilege elevation exploits can be used for many things.

 

[Rafagon]

I read somewhere that he only gave Apple a few hour's notice before releasing it. He's a scumbag. And I have to say that the writer of this article is sort of a scumbag if that screenshot is the code for the vulnerability (If this is true, sorry Juli).

Even if that isn't the screenshot of the code for the vulnerability, Macrumors still published the link to GitHub where all the information can be found.

So yes, Macrumors is sort of a scumbag. Of course, they're here to make money, no matter what it takes.

 

[Rafagon]

I sort of like what Mr. Todesco did. It lights a fire under Apple, prompting fast action.

Having millions of customers know that the vulnerability is there means that at least ⅓ of those will hopefully remember that Apple owes us a security update. That's more people to get on Apple's case about doing something about it.

 

[laurentSF]

It took Apple less than a month to release OS X 10.10.5

what a joke both from Apple and this article

 

[bradl]

Even if that isn't the screenshot of the code for the vulnerability, Macrumors still published the link to GitHub where all the information can be found.

So yes, Macrumors is sort of a scumbag. Of course, they're here to make money, no matter what it takes.

Yet you don't go after AppleInsider for doing the exact same thing. From their link:

http://appleinsider.com/articles/15...s-x-yosemite-also-affects-just-released-10105

The exploit was discovered by Italian developer Luca Todesco, who relies on a combination of attacks — including a null pointer dereference in OS X's IOKit — to drop a proof-of-concept payload into a root shell. It affects every version of OS X Yosemite, but seems to have been mitigated in OS X El Capitan, which is nearing release.

AI posted the exact same link. However, no calling them out as 'scumbags' from you.

As for 'prompting Apple to fast action', not only is this having the opposite effect as Apple would need to find the best solution for this fast = haste, and not the best. Plus, this gives those unethical people even more time to abuse this vulnerability as much as they can before Apple could even put out something to prevent it. That goes completely counter to your statement.

Fast action isn't going to get you the solution that is the most stable and secure.

BL.

 

[macs4nw]

I sort of like what Mr. Todesco did. It lights a fire under Apple, prompting fast action.

Having millions of customers know that the vulnerability is there means that at least ⅓ of those will hopefully remember that Apple owes us a security update. That's more people to get on Apple's case about doing something about it.

Seriously?..... Are you implying that Apple are lackeys that need to be prodded when it comes to patching vulnerabilities? I would suggest that as a company, Apple has a lot more to lose from a compromised OS, than each of us individually have.

You can bet your bottom dollar that behind the scenes they are working furiously to patch that vulnerability.

 

[Rigby]

You can bet your bottom dollar that behind the scenes they are working furiously to patch that vulnerability.

Now that it's been publicly disclosed, probably. But when it comes to exploits that have been privately reported to them but not published, they have a history of sitting on these for months (and in a few cases years) before doing anything.

 

[Rigby]

Here's a less biased article on The Register:

http://www.theregister.co.uk/2015/08/18/apple_local_root_os_x_yosemite/

Quote:

Todesco said he reported the bug to Apple's engineers, and went public on Sunday by uploading the exploit code to GitHub because he felt he "had to."

"I was planning on publishing it in an abstract blog post. I informed Apple, just because, you know, Apple could have simply not noticed my post," he said. "I only published tpwn because I had to, or else I would have kept it unreported until 10.11. The bad guys already have [local privilege escalation bugs]."

And in case anybody missed it, a fix can be downloaded here (source code available via the linked Github project):

https://www.suidguard.com/stories/download.html

 

[JamesPDX]

Now that it's been publicly disclosed, probably. But when it comes to exploits that have been privately reported to them but not published, they have a history of sitting on these for months (and in a few cases years) before doing anything.

If most of their engineering efforts are pointed towards "lifestyle products" instead of OSX security, then we'll have to wait much longer for a fix than a computer company that's not trying to be a record label and design the next Curtis Mathes. Perhaps they are spread thin. BTW, where are my iPants?!!

 

[AlecZ]

For example, install a keylogger, which will record your password, which in turn will give the attacker full access to your keychain. Privilege elevation exploits can be used for many things.

Root access is not needed to install a key logger unless the attacker wants it to also work at the login screen.

 

[AlecZ]

Compromising individual machines to steal information is actually not that common. Usually once they have control, they sell or rent out your computer for use in a botnet, as a spam server, child porn server, etc. The guy hacking your machine is almost never the one using it directly. As you can imagine, root access makes this significantly easier to do and harder to detect.

I was thinking of bot nets too, but user login items are easy enough to install without detection. It's like we need something even lower than a regular user, some sandbox that requires authentication to breach.

 

[SteveW928]

Nonsense. The source of the fix is open. You can inspect it yourself (lots of others already have). It's pretty small and easy to understand.

And unless you're capable of doing just that.... it's not a good idea.

 

[chrfr]

Even if that isn't the screenshot of the code for the vulnerability, Macrumors still published the link to GitHub where all the information can be found.

So yes, Macrumors is sort of a scumbag. Of course, they're here to make money, no matter what it takes.

The bad guys aren't getting this sort of information from MacRumors.
This exploit is widely published so linking to it here isn't going to make any difference.

 

[SteveW928]

That may be true, but developers have a set of ethics (s)he should abide by.

Ethics? Where we're going, we don't neeeed ethics! (cf. Back to the Future)

Come on, this is 2015 and we're headed into a brave, new 'progressive' world where we no longer need archaic vestiges of the past like ethics. Sheesh!

 

[SteveW928]

Seriously?..... Are you implying that Apple are lackeys that need to be prodded when it comes to patching vulnerabilities?

Far stronger than implying. They typically take their sweet time. And, if they really cared about it that much, they'd work harder to keep the components of OS X more up-to-date (i.e.: a lot of these vulnerabilities are just a matter of keeping up on the change-logs of those components for patched security holes, and then making application).

 

[2984839]

I was thinking of bot nets too, but user login items are easy enough to install without detection. It's like we need something even lower than a regular user, some sandbox that requires authentication to breach.

At the very least, userspace applications should not be allowed access to the null page. FreeBSD prevents this by default and I believe OpenBSD does as well.