Apple closes critical system backdoor with OS X update

By

Older versions left vulnerable.

Apple has fixed a major security hole that has been present in its OS X operating system since at least 2011.

Apple closes critical system backdoor with OS X update

The 10.10.3 update addresses the so-called "rootpipe" vulnerability, which allowed an attacker to gain the highest level of access to the computer without a password.

The vulnerability existed in checking XPC entitlements and meant a process may gain admin privileges without properly authenticating, Apple revealed.

The flaw was identified by TruSec security researcher Emil Kvarnhammer, who discovered the flaw last October and notified Apple's product security team the following day.

Kvarnhammer said a planned full disclosure date in January had to be postponed after Apple reported that a fix would require "a substantial amount of changes on their side".

Even now only the latest version of Mac OS X, Yosemite (10.10) has been fixed, leaving Mavericks and Mountain Lion users vulnerable to exploits based on the flaw.

"We recommend that all users upgrade to 10.10.3," Kvarnhammer wrote.

For users who continue to run OS X 10.10, 10.10.1, or 10.10.2, a patch for the problem is included in the new Security Update 2015-004.

Kvarnhammer revealed some information about the problem at the end of October and a primer on how to protect affected versions of OS X was published a few days later.

The critical nature of the flaw will push more Mac OS users towards Yosemite, a free download with extensive hooks into Apple's iCloud services.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?