A newly discovered flaw in macOS could let anyone — or anything — that has access to a regular user account seize control of the computer.
The flaw isn't utterly new. It was first revealed last week as a vulnerability in sudo, a command present in almost all Unix-derived operating systems, including Linux and macOS.
Yesterday (Feb. 2), security researchers demonstrated that the flaw does indeed work in macOS, including the most recent version of Big Sur that was released Monday (Feb. 1).
- Are Macs really more secure than Windows PCs?
- The best Mac antivirus programs
- Plus: MacOS 11.2 fixes major security bugs — update now
The sudo flaw, called "Baron Samedit" by its finders, permits a regular user account to gain powers the account shouldn't have. Anyone or any piece of malware that gains access to a Mac, whether in person or over a network, could use Baron Samedit to take over the machine.
Sudo, short for "superuser do," is typically used by users who already have administrative privileges to temporarily gain "root" or "superuser" privileges so that they can make changes to the operating system. Admin users are prompted to type in their passwords after invoking the sudo command.
In theory, the Baron Samedit flaw is exploitable only by a person who already has an account on a Mac, Linux or other Unix-derived machine.
But in reality, it could be used by remote attackers who manage to steal or crack user passwords over a network, including the internet. It can also be used by malware that has infected a regular user account. You can read more about how the Baron Samedit flaw and resulting exploit work here and here.
Apple is a bit late to the patch party
The Baron Samedit flaw had already been patched by several major Linux distributions, including Debian, Red Hat and Ubuntu, before the vulnerability was disclosed Jan. 26.
Apple didn't join them, perhaps because Apple developers weren't aware macOS might be affected. There is in fact an obstacle that prevents the exploit from working right out of the box on macOS.
But Matthew Hickey, CEO and co-founder of the information-security consulting firm Hacker House, showed on Twitter yesterday that a couple of simple command-line entries will remove that obstacle and make the Baron Samedit exploit possible on macOS.
CVE-2021-3156 also impacts @apple MacOS Big Sur (unpatched at present), you can enable exploitation of the issue by symlinking sudo to sudoedit and then triggering the heap overflow to escalate one's privileges to 1337 uid=0. Fun for @p0sixninja pic.twitter.com/tyXFB3odxEFebruary 2, 2021
Hickey called it "one of the most devastating and widespread LPE's [local privilege escalations] in modern UNIX/Linux history."
Will Dormann at the Computer Emergency Response Team Coordination Center (CERT-CC), a research facility at Carnegie Mellon University in Pittsburgh that's funded by the U.S. Department of Defense, confirmed Hickey's findings shortly thereafter.
Can confirm with macOS Big Sur on both x86_64 and aarch64. pic.twitter.com/nQqQ8rskv7February 2, 2021
So did Patrick Wardle, a well-known Mac hacker, who confirmed that macOS Big Sur 11.2 was vulnerable.
macOS (including 11.2) appears to be vulnerable to the sudo heap-overflow bug (CVE-2021-3156) 🍎🐛 🤨 https://t.co/mogGGoYRKc pic.twitter.com/vTeYVUxpywFebruary 3, 2021
Hickey's findings were quickly made into proof-of-concept code and put up on Pastebin for all to see.
What you can do about this macOS flaw
So what can you do to protect yourself from this? Hickey said the flaw isn't fixable by the user, even one with administrative privileges who's properly using sudo.
You'll have to wait until Apple fixes this with an update to Big Sur and the two previous versions of macOS, 10.15 Catalina and 10.14 Mojave. It's possible that earlier, officially unsupported, versions may be patched as well, as Apple has done when fixing some very severe bugs in the past.
In the meantime, short of turning off your Mac until the patch comes, you should install and use one of the best Mac antivirus programs. The antivirus software won't prevent a jerk from sitting down at your machine and logging in, but hopefully you have other methods of stopping that.
After that, stick to the official Mac App Store when installing new programs until Apple fixes this flaw.
Tom's Guide has reached out to Apple for comment on this issue, and we will update this story when we receive a reply.