A white-hat hacker from Sweden says he’s found a serious security hole in Apple’s Yosemite OS X that could allow an attacker to take control of your computer.
Emil Kvarnhammar, a hacker at Swedish security firm Truesec, calls the vulnerability “rootpipe” and has explained how he found it and how you can protect against it.
It’s a so-called privilege escalation vulnerability, which means that even without a password an attacker could gain the highest level of access on a machine, known as root access. From there, the attacker has full control of the system.
It affects the newest OS X release, version 10.10, known as Yosemite. Apple hasn’t fixed the flaw yet, he says, so Truesec won’t provide details yet of how it works.
“It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” Kvarnhammar says. “I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I couldn’t find anything similar for 10.9 or 10.10.”
Mac users tend to keep their OS more up to date than Windows users, he says, and he wanted to find a vulnerability that would affect current users, so he started digging around in the newer versions of OS X.
“I started looking at the admin operations and found a way to create a shell with root privileges,” he says. “It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it.”
He tested the vulnerability on version 10.8.5 of the OS and got it to work, he says. Then he tried on 10.9 but with no luck.
“I was a bit dejected but continued to investigate,” Kvarnhammar said. “There were a few small differences [in later releases] but the architecture was the same. With a few modifications I was able to use the vulnerability in the latest Mac OS X, version 10.10.”
When he’s trying to find vulnerabilities in an OS, he said, he tries to get a feel for how the developer was thinking. In this case, Apple had migrated and moved some functions, but basically the same flaws remained.
“Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can’t gain root access without entering the correct password. However, rootpipe circumvents this,” he says.
He says he reported the vulnerability to Apple the day after he discovered it.
He didn’t get much of a response, he said, which didn’t surprise him given Apple’s policy of not confirming vulnerabilities. But because Apple agreed to a date when he can publish details of the flaw, he believes the company indirectly confirmed it.
“For our part, there was no discussion: we do responsible disclosure,” he said. “But we also wanted to announce that we found a serious flaw; there is a big risk here.”
“In our dialogue with Apple, we agreed on a date for full disclosure. After this date, we can talk about exactly what we found.”
Details on the #rootpipe exploit will be presented, but not now. Let's just give Apple some time to roll out a patch to affected users.— Emil Kvarnhammar (@emilkvarnhammar) October 16, 2014
As it stands now, a full disclosure is likely to be published in January.
Apple takes security seriously, he said, though they’re sometimes a bit “careful” about the information they publish because they want to give the impression that their software it is as safe as possible. But he said it’s naive to think OS X is immune to critical vulnerabilities. Like any complex software, he says, there are inherently numerous flaws.
So how did he come up with the name rootpipe? “I can’t get into that too much; I’ll get back to you when we can provide more information,” he said.
What you can do right now
He says there are ways to protect against rootpipe and enhance the security of your Mac generally. Step one is to make sure you’re not running the system on a daily basis with an admin account—that is, one that has admin privileges.
That’s tricky since most Macs get set up with only one account on them, and that account has admin privileges. His tip is to create a new account and assign it admin privileges, and call it “admin” or something similar. Then log into the admin account and remove the admin permissions from the other account you’ll be using day in and day out.
That means if a hacker takes over the account that’s used daily, it won’t have the admin permissions, which will limit the harm they can do. For the user, they’ll have to enter an admin password when they want to install new software or make some other change, but it might be worth the hassle until the flaw gets fixed.
He also recommends using Apple’s FileVault tool, which encrypts the hard drive. The performance hit on the system is minimal, he says, and you probably won’t notice it at all.
“This is a great way of protecting your data, especially if your computer gets stolen,” he says.