OS X Yosemite Flaw Leaves Macs Open to Hacker Takeover

Credit: Apple

(Image credit: Apple)

Mac OS X 10.10 Yosemite, Apple's latest operating system, was released to the public Oct. 15. The day beforehand, a security researcher revealed that he had found the operating system's first major security flaw and created software to exploit it.

The software, called Rootpipe, exploits an undisclosed privilege-escalation bug; attackers could use Rootpipe to seize control of Macs by giving themselves "root" access, turning themselves into super-administrators able to do just about anything on other people's machines.

MORE: Blackphone Review: All-Encompassing Security

The flaw's discoverer, Emil Kvarnhammar of Swedish security firm Truesec,  declined to elaborate on the specifics, or even why he named the accompanying exploit "Rootpipe," since that could help real attackers uncover the flaw. Truesec did release a short YouTube video on Oct. 14 showing Rootpipe gain root access without an administrator password on a Mac running Yosemite.

The flaw also affects OS X 10.9 Mavericks and 10.8 Mountain Lion, and the Rootpipe software, with a few modifications, works on each, Kvarnhammer told TechWorld Sweden.

The researcher said he reached out to Apple a day after he discovered the flaw. Apple didn't officially confirm that it existed, but appeared to tacitly acknowledge the vulnerability by asking Kvarnhammer and Truesec not to release their full findings until January 2015, giving Apple time to patch it.

Kvarnhammar did drop some hints about how Rootpipe works by giving Techworld Sweden steps that Mac users can take to protect themselves against not just Rootpipe, but any similar privilege-escalation bugs.

First, don't do day-to-day computer activities such as Web browsing or checking email on an administrator account, he said. If you're using an admin account when an attacker targets your machine, it's much easier for the attacker to take over your computer. (Kvarnhammar implied that Rootpipe needs to be launched from an admin account to grab root.)

Instead, use the admin account only for administrative tasks, and do your Web browsing and other work from a regular account that isn't allowed to install or modify software. 

Kvarnhammer also recommended that Mac users take advantage of the built-in encryption service FileVault to add an extra layer of protection to your files. That might not prevent Rootpipe from executing, but would prevent an attacker without a password from reading files. This guide walks you through the steps to set up FileVault.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr. Follow Tom's Guide at @tomsguide and on Facebook.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.