Yosemite and Rootpipe

[michkhol]

OS X users are urged to upgrade to Yosemite version 10.10.3 as soon as possible. Apple will not patch versions older than 10.10, reportedly due to the complexity of the fix.
http://appleinsider.com/articles/15/04/ ... -mavericks

NOTE: changed the subject since the original one is no longer relevant, the vulnerability is still there.

[billf]

What? Apple can't be bothered to fix a backdoor bug in anything other than Yosemite? There has to be more to this story.

[mikehalloran]

From last November

http://www.zdnet.com/article/serious-se ... -rootpipe/

[HCMarkus]

http://www.imore.com/apple-working-fix- ... isk-anyway

I'm not very concerned.

PS: No one operates my studio other than me and a few highly-trusted clients. Those who allow outside engineers may have good reason to be worried.

[michkhol]

I'm concerned for two reasons.
1. I do remember DP had problems if run from non-admin account. I do not know if it is the case anymore.
2. Any program that you install (legitimate or pretending to be as such) can use this exploit. The point is, you will never know.

[mikehalloran]

2. Any program that you install (legitimate or pretending to be as such) can use this exploit. The point is, you will never know.

Nothing I have read or experienced has confirmed that. Besides, malware does not need root access to screw up your Mac.

I can gain root access to any Mac as long as a) I am seated at the keyboard b) I have a few hours and c) I have a reason to do so. It's not hard and the procedure is well documented in Apple Support. OS doesn't matter and it has nothing to do with either of the security issues. Anyone who knows how can do it. Were it not possible, certain problems can not be fixed and problem Macs would become doorstops instead of repairable.

What I cannot do – or rather, it would be very difficult to do – is perform the task so that no one would notice. Once done, it takes time to put Humpty back together again. The only way to do it seamlessly is through an Admin account where I have the password. Otherwise, anyone looking for a culprit or hack will find it easily.

Having said this, if I am sitting at a Mac that isn't mine for a few hours, I am doing repairs, updates or both. Of the 30+ Macs that I service and maintain, I have an Admin account on each of them but no remote access -- not interested.

[billf]

I'm concerned for two reasons.
1. I do remember DP had problems if run from non-admin account. I do not know if it is the case anymore.
2. Any program that you install (legitimate or pretending to be as such) can use this exploit. The point is, you will never know.

The one researcher claims that Apple will not update this. However, if you file a bug report (I did), Apple does respond saying they are looking into it.

[michkhol]

Besides, malware does not need root access to screw up your Mac.

I'm not talking about your Mac, the picture is bigger:
A trojan looking like a video converter for instance (and performing as such), may install a bot that would send spam using your address book. It will install a system daemon without asking for the root password. You will never know it until the victims (who may be your dear friends) get infected by opening the trusted email from you.

[michkhol]

The one researcher claims that Apple will not update this. However, if you file a bug report (I did), Apple does respond saying they are looking into it.

The flaw's detailed description is in the open. While Apple is looking you are vulnerable if you are on OS X 10.7 - 10.9 and using admin account for regular work.

[billf]

The flaw's detailed description is in the open. While Apple is looking you are vulnerable if you are on OS X 10.7 - 10.9 and using admin account for regular work.

For those who cannot upgrade to Yosemite, the way to file a bug report is here:

https://www.apple.com/feedback/macosx.html

Be sure to reference this blog post in your report:

https://truesecdev.wordpress.com/2015/0 ... /#comments

[amergin]

There's a hell of a lot of Apple haters just itching to find even one example of something like this actually affecting a single Mac user. And the silence is deafening! There are millions of Macs running older OSes out there, I've been waiting to eat my hat for decades now but it's still in one piece. That doesn't mean that you can go to a porn site and download a random installer and smugly congratulate yourself on being free from danger because you're running a Mac, what it means is that as long as you use a modicum of common sense the sky will continue to fall on Windows users and you can sleep easy.

[Gravity Jim]

Lighten up, Francis.

[mikehalloran]

Besides, malware does not need root access to screw up your Mac.

I'm not talking about your Mac, the picture is bigger:
A trojan looking like a video converter for instance (and performing as such), may install a bot that would send spam using your address book. It will install a system daemon without asking for the root password. You will never know it until the victims (who may be your dear friends) get infected by opening the trusted email from you.

So... you really think that someone is going to write malware that exploits the root level on OS 10.7-9 without Apple figuring out a defense. Mind you, this was first made public in January and it hasn't happened yet.

Or, since this security flaw has been exposed, do you think that the anti-virus vendors will be unsuccessful in patching their programs first? Do understand, these are the guys who stand to realize monetary gain when one researcher tells us that the sky is falling.

[billf]

The one researcher claims that Apple will not update this. However, if you file a bug report (I did), Apple does respond saying they are looking into it.

The flaw's detailed description is in the open. While Apple is looking you are vulnerable if you are on OS X 10.7 - 10.9 and using admin account for regular work.

Officially Apple knows about this issue. Officially they have NOT recommended users of Mavericks and earlier OSX versions that they need to upgrade immediately to Yosemite. That is the official stance at this moment.

Regarding your title "upgrade or be hacked," do you have any documentation that this has happened?

Be vigilant about your system, but let's be careful about the potential to spread FUD and panic.

BTW, Apple does things like this as well, which most of us never notice:

http://www.thesafemac.com/apple-cracks-down-on-adware/

[michkhol]

So... you really think that someone is going to write malware that exploits the root level on OS 10.7-9 without Apple figuring out a defense. Mind you, this was first made public in January and it hasn't happened yet.

The problem is that we don't know. We don't know if Apple comes up with a defense for older OSes. The bots are essentially sleeping cells until they are activated. Having root access a bot can operate completely unnoticed and erase all traces. We cannot know if it happened yet because it is so far undetectable. And Apple is known to be notoriously slow in patching its flaws.