Privilege escalation bug

Traverse

macrumors 604
Original poster
Mar 11, 2013
6,727
2,925
Here
According to Apple Insider there is a serious security flaw in OS X that can allow malware to gain root privileges to any OS X Lion, Mountain Lion, and Mavericks system.

According the article it was fixed with OS X 10.10.3, but will not be fixed in prior versions.

What do you think?
 
  • Like
Reactions: grahamperrin

mtasquared

macrumors regular
May 3, 2012
185
31
Are the WiFi issue and slow PDF preview issue resolved by now? I'm on mountain lion and like it that way unless Apple truly wants to force me onto Yosemite. Not happy.
 

Eithanius

macrumors 65816
Nov 19, 2005
1,419
285
Just another cheap publicity stunt by Apple to get everyone on board Yosemite knowing that their market share is fragmented... Thank goodness I'm still on Snow Leopard...

Inb4 anyone says SL deprecated and not secure...
 

ricede

macrumors regular
Aug 16, 2010
170
10
Inside
Privilege escalation bug

I read about this bug this morning & that  are not going to fix it in Lion/Mountain Lion/Mavericks.

i didn't really understand the 'real world' situation for the average mac user.

Is this the moment when EVERYONE with one of the older OS's HAS to upgrade to Yosemite ???

Any clarification of this would be appreciated. Thanks.
 
  • Like
Reactions: grahamperrin

jhorsman

macrumors newbie
Mar 9, 2015
10
2
Looking around is telling me mainly that it is a bug that allows Admin privileges to Admin Enabled accounts without typing their passwords. So it creates an attack vector to escalate priveledges. So got a couple of ways to work around it.

1. Create a Secondary admin account and strip your day to day account of Admin rights and 2. Also let Apple know your concern.

2. Watch what you are doing with no action on your part. (Not acceptable to me, but the risk is up to you. It is your Data/Machine.) For the bug to even be a threat, someone has to gain access to your machine. This can be Malware, remote management, etc. Due diligence comes into play for this one.

3. Upgrade to 10.10.3

4. Wait to see if Apple does address it for 10.9, 10.8, etc. It is ZdNet and Nothing official has really come out.

Each Option has its Pro's and Cons. The decision is up to you and how you feel about your Operating Systems security. <Removed due to further research, I cannot stand by my own statement now due to severity of the issue from the author of the exploit.>
 
Last edited:

jhorsman

macrumors newbie
Mar 9, 2015
10
2
Well, this isn't good. Did further research on the exploit itself from the author of the exploit. So my recommendation is now due diligence and separate the roles. And complain to Apple.

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

What bothers me is...

"But I actually found a way to make it work for all users later, which means that the exploit is no longer limited to admin accounts only. It is as simple as sending nil to authenticateUsingAuthorizationSync instead of using the result of [SFAuthorization authorization]:"
 

chrfr

macrumors G3
Jul 11, 2009
8,188
2,515
1. Create a Secondary admin account and strip your day to day account of Admin rights
This would not solve the issue since it's a privilege escalation vulnerability. The ability to get admin privileges from a non-admin account is the crux of the problem.
That Apple has opted to not patch this in 10.8.5 and 10.9.5 yet still provide the illusion that they're maintaining security patches for those versions of OS X is egregious.
 
  • Like
Reactions: grahamperrin

jhorsman

macrumors newbie
Mar 9, 2015
10
2
This would not solve the issue since it's a privilege escalation vulnerability. The ability to get admin privileges from a non-admin account is the crux of the problem.
That Apple has opted to not patch this in 10.8.5 and 10.9.5 yet still provide the illusion that they're maintaining security patches for those versions of OS X is egregious.
I agree with you 100 Precent. The only true answer at this time is to go to 10.10.3 Reason why I kept it in and not removed it, as an end user we can only do two things in this scenario and not got to 10.10.3. Be aware and mitigate with defense in depth. Enough awareness will perhaps force Apple to fix it. Mitigation is stop-gap at best. Remember, it is local privlidge esclation. Got to get the payload on the machine first. As I said before, everything has its Pros and its Cons and it is up to you to decide acceptable risk.
 
  • Like
Reactions: grahamperrin

Raima

macrumors 6502
Jan 21, 2010
397
7
Enough awareness will perhaps force Apple to fix it.
I would suggest for people to contact the major apple tech journalists to bring their attention to it. With enough media awareness, it would be in Apple's best interest to roll the update to the other affected OS X systems.

I contacted Hannah from smh.com.au in Australia. Do your part people!
 
  • Like
Reactions: grahamperrin

mtasquared

macrumors regular
May 3, 2012
185
31
I complained to Apple!

Well I consider Yosemite to be beta software because the updates are beta. Some people who stay with established OSX versions because they need stability/security to be paramount are being cast aside by Apple. I wrote a complaint to Apple through their customer support channel but they also gave me their website for complaints: http://www.apple.com/feedback/. I hope someone listens.
 
  • Like
Reactions: grahamperrin

ricede

macrumors regular
Aug 16, 2010
170
10
Inside
Sent to Tim Cook email address today

Dear Mr Cook,

I have read that Apple are not going to support this latest Security Flaw in Mavericks / Mountain Lion / Lion. In the 18 years that i have been a loyal supporter of Apple, I have always understood that Apple rigorously supported their previous OS's.

Some of us are not happy with Yosemite and do not wish to upgrade. Are we to understand that we must leave our systems open to attack, because it is too much work to support a large part of your user base.

If we can no longer rely on you to do the right thing, then I think that this it is really sad. It is a telling state of affairs of where Apple are heading, when the pursuit of money overrides common sense & decency.

Yours very sincerely
 

Eithanius

macrumors 65816
Nov 19, 2005
1,419
285
Dear Mr Cook,

I have read that Apple are not going to support this latest Security Flaw in Mavericks / Mountain Lion / Lion. In the 18 years that i have been a loyal supporter of Apple, I have always understood that Apple rigorously supported their previous OS's.

Some of us are not happy with Yosemite and do not wish to upgrade. Are we to understand that we must leave our systems open to attack, because it is too much work to support a large part of your user base.

If we can no longer rely on you to do the right thing, then I think that this it is really sad. It is a telling state of affairs of where Apple are heading, when the pursuit of money overrides common sense & decency.

Yours very sincerely
Please send it to tcook@apple.com...
 

Roadstar

macrumors 65816
Sep 24, 2006
1,480
1,803
Vantaa, Finland
I am researching my options right now.
Me too. I'm actually happy (as far as it's applicable to something like this) about the timing since I'm just about to upgrade storage on my mid-2011 dual hard drive Mac mini. I'm going from 128GB SSD + 500GB HDD to 500GB SSD + 1TB HDD, and my initial plan was to allocate some of the space to boot camp (which I'm going to virtualize with VMware Fusion for improved access). I was thinking about something like a 75/25 split between OS X and Windows, but now I think I'll be going for 50/50 to have more options if Apple has indeed adopted the "we'll patch only the current OS version" approach in OS X as well.
 

mtasquared

macrumors regular
May 3, 2012
185
31
Alright I have a battle plan since I intend to keep using mountain lion. I added a standard account to switch into when surfing. I put gatekeeper on its most restrictive setting. In general I have hardened the os in accordance with most recommendations. One thing I will not do is enable filevault, because I want my files to be visible to boot camp and to my family in case of personal disaster but filevault is a mitigation, according to Lars (the bug discoverer).
 

grahamperrin

macrumors 601
Jun 8, 2007
4,946
627
I know, Valentine's day is long gone but this Apple episode inspires me to share those three little words that mean so much. Shoddy irresponsible ********.

Within the conclusion to How to fix rootpipe in Mavericks and call Apple's ******** bluff about rootpipe fixes | Reverse Engineering Mac OS X (2015-04-13):

… Leaving users exposed to such dangerous vulnerabilities with fully working public exploits available is simply irresponsible. Let me remind you that iWorm botnet infected more than 17k hosts just by asking the users for admin privileges. How large do you think a botnet can be by exploiting this vulnerability to escalate privileges without any user intervention at all?

It’s not possible for Apple to not want to assume the potential costs and risks of declaring OS X versions EOL but also to not want to backport really important security fixes to older OS X versions because that implies “too much work” …
Last but not least:

There is malware from 2014 that was already exploiting this vulnerability. Found by noar, the following sample contains the exploit code for both Mavericks and older versions. It uses the exploit to activate the Accessibility API. See, we don’t even need to wait for new malware, it was already being exploited in the wild. The malware sample is described by FireEye here, but they totally miss the zero day there. They just lightly describe the result but not the technique.
 

grahamperrin

macrumors 601
Jun 8, 2007
4,946
627
Vulnerabilities in Mac OS X Lion, OS X Mountain Lion and Mavericks

Unless I'm missing something recent, Apple's approach has become appallingly shoddy. http://forums.macrumors.com/posts/21287006, http://forums.macrumors.com/posts/21516454 and so on.
Shame on Apple.
The fixes are there, some people just choose to not update. El Capitan should be a much smoother experience than Yosemite, so it's a great time to make the jump to a fully supported OS.
If "The fixes are there" meant that parts of Yosemite El Capitan can be used to patch vulnerabilities in Lion, Mountain Lion or Mavericks: I look forward to technical advice. Ideally with reference to CVE-2015-1130.

I understand why some people choose to stick to older operating systems,

Understanding

but you can't have your cake and eat it too. If you don't like Apple's way of doing things, Windows 10 is right around the corner.
@Tubamajuba please, why did you quote my post but not read the first linked topic within that quote? If you had done so, you could have understood why my plans include neither Microsoft Windowsnor an older operating system.

2015-07-02 06-39-23 screenshot.png
 
Last edited: