Skip to main content

MacBook security alert — all Macs can be hacked using this flaw

MacBook reconfigurable keyboard
(Image credit: Getty Images)

A newly discovered flaw in macOS could let anyone — or anything — that has access to a regular user account seize control of the computer.

The flaw isn't utterly new. It was first revealed last week as a vulnerability in sudo, a command present in almost all Unix-derived operating systems, including Linux and macOS. 

Yesterday (Feb. 2), security researchers demonstrated that the flaw does indeed work in macOS, including the most recent version of Big Sur that was released Monday (Feb. 1).

The sudo flaw, called "Baron Samedit" by its finders, permits a regular user account to gain powers the account shouldn't have. Anyone or any piece of malware that gains access to a Mac, whether in person or over a network, could use Baron Samedit to take over the machine.

Sudo, short for "superuser do," is typically used by users who already have administrative privileges to temporarily gain "root" or "superuser" privileges so that they can make changes to the operating system. Admin users are prompted to type in their passwords after invoking the sudo command.

In theory, the Baron Samedit flaw is exploitable only by a person who already has an account on a Mac, Linux or other Unix-derived machine. 

But in reality, it could be used by remote attackers who manage to steal or crack user passwords over a network, including the internet. It can also be used by malware that has infected a regular user account. You can read more about how the Baron Samedit flaw and resulting exploit work here and here.

Apple is a bit late to the patch party

The Baron Samedit flaw had already been patched by several major Linux distributions, including Debian, Red Hat and Ubuntu, before the vulnerability was disclosed Jan. 26. 

Apple didn't join them, perhaps because Apple developers weren't aware macOS might be affected. There is in fact an obstacle that prevents the exploit from working right out of the box on macOS. 

But Matthew Hickey, CEO and co-founder of the information-security consulting firm Hacker House, showed on Twitter yesterday that a couple of simple command-line entries will remove that obstacle and make the Baron Samedit exploit possible on macOS. 

See more

Hickey called it "one of the most devastating and widespread LPE's [local privilege escalations] in modern UNIX/Linux history."

Will Dormann at the Computer Emergency Response Team Coordination Center (CERT-CC), a research facility at Carnegie Mellon University in Pittsburgh that's funded by the U.S. Department of Defense, confirmed Hickey's findings shortly thereafter.

See more

So did Patrick Wardle, a well-known Mac hacker, who confirmed that macOS Big Sur 11.2 was vulnerable.

See more

Hickey's findings were quickly made into proof-of-concept code and put up on Pastebin for all to see.

What you can do about this macOS flaw

So what can you do to protect yourself from this? Hickey said the flaw isn't fixable by the user, even one with administrative privileges who's properly using sudo. 

You'll have to wait until Apple fixes this with an update to Big Sur and the two previous versions of macOS, 10.15 Catalina and 10.14 Mojave. It's possible that earlier, officially unsupported, versions may be patched as well, as Apple has done when fixing some very severe bugs in the past.

In the meantime, short of turning off your Mac until the patch comes, you should install and use one of the best Mac antivirus programs. The antivirus software won't prevent a jerk from sitting down at your machine and logging in, but hopefully you have other methods of stopping that.

After that, stick to the official Mac App Store when installing new programs until Apple fixes this flaw.

Tom's Guide has reached out to Apple for comment on this issue, and we will update this story when we receive a reply.

Paul Wagenseil
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.