Apple closes critical system backdoor with OS X update

By
Follow google news

Older versions left vulnerable.

Apple has fixed a major security hole that has been present in its OS X operating system since at least 2011.

Apple closes critical system backdoor with OS X update

The 10.10.3 update addresses the so-called "rootpipe" vulnerability, which allowed an attacker to gain the highest level of access to the computer without a password.

The vulnerability existed in checking XPC entitlements and meant a process may gain admin privileges without properly authenticating, Apple revealed.

The flaw was identified by TruSec security researcher Emil Kvarnhammer, who discovered the flaw last October and notified Apple's product security team the following day.

Kvarnhammer said a planned full disclosure date in January had to be postponed after Apple reported that a fix would require "a substantial amount of changes on their side".

Even now only the latest version of Mac OS X, Yosemite (10.10) has been fixed, leaving Mavericks and Mountain Lion users vulnerable to exploits based on the flaw.

"We recommend that all users upgrade to 10.10.3," Kvarnhammer wrote.

For users who continue to run OS X 10.10, 10.10.1, or 10.10.2, a patch for the problem is included in the new Security Update 2015-004.

Kvarnhammer revealed some information about the problem at the end of October and a primer on how to protect affected versions of OS X was published a few days later.

The critical nature of the flaw will push more Mac OS users towards Yosemite, a free download with extensive hooks into Apple's iCloud services.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Australia's new cyber affairs ambassador sourced from ASD

Australia's new cyber affairs ambassador sourced from ASD

Euro cops take down cybercrime network with 49 million fake accounts

Euro cops take down cybercrime network with 49 million fake accounts

Microsoft breaks Windows 11 Recovery Environment in October update

Microsoft breaks Windows 11 Recovery Environment in October update

QLD government retires CISO position title

QLD government retires CISO position title

Log In

  |  Forgot your password?