OS X Yosemite Flaw Leaves Macs Open to Hacker Takeover

Credit: AppleCredit: Apple

Mac OS X 10.10 Yosemite, Apple's latest operating system, was released to the public Oct. 15. The day beforehand, a security researcher revealed that he had found the operating system's first major security flaw and created software to exploit it.

The software, called Rootpipe, exploits an undisclosed privilege-escalation bug; attackers could use Rootpipe to seize control of Macs by giving themselves "root" access, turning themselves into super-administrators able to do just about anything on other people's machines.

MORE: Blackphone Review: All-Encompassing Security

The flaw's discoverer, Emil Kvarnhammar of Swedish security firm Truesec,  declined to elaborate on the specifics, or even why he named the accompanying exploit "Rootpipe," since that could help real attackers uncover the flaw. Truesec did release a short YouTube video on Oct. 14 showing Rootpipe gain root access without an administrator password on a Mac running Yosemite.

OSX 10.10 hack - privilege escalation through rootpipe

The flaw also affects OS X 10.9 Mavericks and 10.8 Mountain Lion, and the Rootpipe software, with a few modifications, works on each, Kvarnhammer told TechWorld Sweden.

The researcher said he reached out to Apple a day after he discovered the flaw. Apple didn't officially confirm that it existed, but appeared to tacitly acknowledge the vulnerability by asking Kvarnhammer and Truesec not to release their full findings until January 2015, giving Apple time to patch it.

Kvarnhammar did drop some hints about how Rootpipe works by giving Techworld Sweden steps that Mac users can take to protect themselves against not just Rootpipe, but any similar privilege-escalation bugs.

First, don't do day-to-day computer activities such as Web browsing or checking email on an administrator account, he said. If you're using an admin account when an attacker targets your machine, it's much easier for the attacker to take over your computer. (Kvarnhammar implied that Rootpipe needs to be launched from an admin account to grab root.)

Instead, use the admin account only for administrative tasks, and do your Web browsing and other work from a regular account that isn't allowed to install or modify software. 

Kvarnhammer also recommended that Mac users take advantage of the built-in encryption service FileVault to add an extra layer of protection to your files. That might not prevent Rootpipe from executing, but would prevent an attacker without a password from reading files. This guide walks you through the steps to set up FileVault.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr. Follow Tom's Guide at @tomsguide and on Facebook.

Create a new thread in the MacBooks forum about this subject
This thread is closed for comments
4 comments
Comment from the forums
    Your comment
  • Haravikk
    FileVault 2, which is the version used on the affected OS X versions, won't prevent attackers from getting access to files as it uses full-disk encryption; so long as the system has started up the disk is effectively decrypted, at which point the root user can access any files it wishes. The only way to protect files further would be to use secure disk images, which is how FileVault 1 used to work, those introduce other headaches, but need to be mounted before they are decrypted, so as long as you only mount them when you need them they should be safe, or at least safer.

    Using a separate admin/sudoer account is sound advice for every operating system; there's no reason to be in an account capable of elevating itself directly to root. Even if you're a developer you can sudo yourself via an admin account; it's only one extra step but is a lot better for security. It's also a good thing because it stops you doing stuff you may not realise has security implications, meanwhile an admin user may not get prompted while throwing files in vulnerable areas of the system.
    1
  • Jill Scharr
    Hi Haravikk,
    I'm the writer of the Yosemite flaw piece. You're absolutely right about FileVault. I recommended using FileVault in the piece, however, because Kvarnhammer (the researcher who discovered the flaw in the first place) recommended it. Kvarnhammer has more information about how this particular flaw works, so it's possible there's a specific reason why FileVault would in fact protect Macs from these kinds of exploits. In any case, using FileVault or any kind of full-disk encryption is usually just a good idea.
    Thanks!
    0
  • Sophia Hall
    Get best and discounts on Samsung Galaxy Note Edge and latest Android phones, visit >>>>> bestandroidphonedeals .com
    0