Apple closes critical system backdoor with OS X update

Apple has fixed a major security hole that has been present in its OS X operating system since at least 2011.

The 10.10.3 update addresses the so-called "rootpipe" vulnerability, which allowed an attacker to gain the highest level of access to the computer without a password.

The vulnerability existed in checking XPC entitlements and meant a process may gain admin privileges without properly authenticating, Apple revealed.

The flaw was identified by TruSec security researcher Emil Kvarnhammer, who discovered the flaw last October and notified Apple's product security team the following day.

Kvarnhammer said a planned full disclosure date in January had to be postponed after Apple reported that a fix would require "a substantial amount of changes on their side".

Even now only the latest version of Mac OS X, Yosemite (10.10) has been fixed, leaving Mavericks and Mountain Lion users vulnerable to exploits based on the flaw.

"We recommend that all users upgrade to 10.10.3," Kvarnhammer wrote.

For users who continue to run OS X 10.10, 10.10.1, or 10.10.2, a patch for the problem is included in the new Security Update 2015-004.

Kvarnhammer revealed some information about the problem at the end of October and a primer on how to protect affected versions of OS X was published a few days later.

The critical nature of the flaw will push more Mac OS users towards Yosemite, a free download with extensive hooks into Apple's iCloud services.