crp Posted November 4, 2014 Share Posted November 4, 2014 http://www.macworld.com/article/2841965/swedish-hacker-finds-serious-vulnerability-in-os-x-yosemite.html 1 Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 5, 2014 Share Posted November 5, 2014 Thanks crp! Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability “rootpipe” and has explained how he found it and how you can protect against it.It’s a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system. It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn’t fixed the flaw yet, he says, so Truesec won’t provide details yet of how it works. Great job, Emil Kvarnhammar! I love it when folks find vulnerabilities. It means they will be fixed and not still out there! Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 5, 2014 Share Posted November 5, 2014 “It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” Kvarnhammar says. “I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I couldn’t find anything similar for 10.9 or 10.10.” Mac users tend to keep their OS more up to date than Windows users, he says, and he wanted to find a vulnerability that would affect current users, so he started digging around in the newer versions of OS X. So glad there are folks who are vigilant with all the OSes out there. Many folks think 'oh, my God' when these things are found for Windows, Mac, or Linux. I think, "thankfully another exploit vector is being fixed!" All OSes have vulnerabilities and the quicker they are found and fixed, the better. Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted November 5, 2014 Share Posted November 5, 2014 (edited) I liked that he said the following: He didn’t get much of a response, he said, which didn’t surprise him given Apple’s policy of not confirming vulnerabilities. But because Apple agreed to a date when he can publish details of the flaw, he believes the company indirectly confirmed it.“For our part, there was no discussion: we do responsible disclosure,” he said. “But we also wanted to announce that we found a serious flaw; there is a big risk here.” I liked that he said the following: He didn’t get much of a response, he said, which didn’t surprise him given Apple’s policy of not confirming vulnerabilities. But because Apple agreed to a date when he can publish details of the flaw, he believes the company indirectly confirmed it.“For our part, there was no discussion: we do responsible disclosure,” he said. “But we also wanted to announce that we found a serious flaw; there is a big risk here.” I wish Apple was more forthcoming. It is the one scary thing for Mac users, especially as they incorporate more Windows type networking services into OS X to be more compatible with Corporate world. Edited November 5, 2014 by LilBambi Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.