14 DAY TRIAL // A security flaw in Apple’s operating system believed to have lain hidden for years, has recently been discovered by a Swedish security researcher, who created a video demonstrating the validity of the exploit code.
Dubbed Rootpipe, the vulnerability provides a potential attacker with the possibility of operating under elevated privileges on the affected machine. It has been discovered by Emil Kvarnhammar, a researcher at the Swedish security company Truesec.
There is a way to mitigate the risk until a permanent fix emerges
Because of the severity of the security glitch, no details have been published for now. However, Kvarnhammar said on Monday that information would surface in the middle of January 2015; this is part of the agreement with Apple, so that a fix is prepared, pushed to the users and allowed some time for being adopted by a large number of clients.
Rootpipe is basically a privilege escalation vulnerability from admin to root, which, as the researcher points out, can be mitigated by switching to a non-admin account until a patch is delivered. It can be leveraged both locally and remotely, through web exploits.
It is important to note that most OS X users have only one account on their system, and it generally has admin privileges.
Older OS X versions also affected
Apple already readies a fresh update for Yosemite, and rolls out version 10.10.1 for testers and developers. There is no info on the fixes it includes and every detail around it is mostly rumor and speculation.
According to Kvarnhammar, the glitch is present in the previous two versions of the operating system from Apple, 10.9 (Mavericks) and 10.8 (Mountain Lion). Slight adjustments need to be made for an attack to work on each of them, though, but in the end the risk is the same.
The flaw was presented in the Swedish press in the middle of October, including a video with the proof of concept (available below); but news about it made it to outlets in English at the end of last week. Since then, the researcher has shared some details with English speakers.
The researcher had trouble communicating with the security division at Apple in the beginning. After offering the necessary details, Apple failed to provide a reply about the course of action that would ensue from the developer.
Kvarnhammar did disclose the vulnerability responsibly, and seeing that no answer arrived from Cupertino, he also notified the US CERT (Computer Emergency Readiness Team). In the end, Apple contacted him and set a public disclosure date.
Proof-of-concept code showing how easy privilege escalation can be achieved though Rootpipe vulnerability:
