The latest unpatched Mac security bug could be exploited by a malicious application to gain control of a system
Apple’s Mac OS X has been hit by another unpatched ‘vertical privilege escalation’ security bug similar to the DYLD_PRINT_TO_FILE bug made public in July, and exploited by adware discovered earlier this month.
The latest bug was published by a developer describing himself on Twitter as an 18-year-old Italian named Luca Todesco, who released proof-of-concept code allowing an unprivileged user to gain root access to a system.
The bug affects every version of Mac OS X 10.10 Yosemite, including the most recent release, but is mitigated with the upcoming OS X 10.11 El Capitan release, according to researchers. Todesco said he notified Apple of the issue but acknowledged that a fix isn’t yet available for Mac OS X 10.10.
The release comes shortly after Apple’s latest update to Yosemite, which patches the DYLD_PRINT_TO_FILE flaw.
That bug was published by researcher Stefan Esser, who initially criticised Apple for failing to provide a patch for current versions of Mac OS X, only fixing it in Yosemite, now in public testing.
Like Esser, Todesco was criticised by some security experts for releasing the proof-of-concept before a patch was available.
However, Todesco said he hadn’t intended the release as a broadside against Apple, and said on Twitter that the reaction against him was “out of proportion” to the importance of the flaw, which he compared to the jailbreak exploits used to gain control of iPhones.
Such exploits can be used by an application with low-level privileges to gain control of a system with top-level root access.
In the case of Todesco’s tpwn exploit, an attack would require physical access to a system, but it could also be exploited if a user were tricked into installing malicious software. Todesco’s proof-of-concept exploits two issues via IOKitLib, an interface for accessing physical devices attached to a system.
Todesco recommended users install Esser’s SUIDGuard to protect against unpatched privilege-escalation flaws. In general, security experts say users can mitigate such risks by only installing applications from trusted sources.
Security researcher Emil Kvarnhammar of Sweden’s Truesec publicised a privilege-escalation bug called rootpipe in Mac OS X Yosemite last year, but withheld details of the flaw until a patch was available.
Apple didn’t immediately respond to a request for comment. The company typically doesn’t comment on security-related issues.
Are you a security pro? Try our quiz!