Slashdot Mirror

← Back to Stories (view on slashdot.org)

OS X Bug Exploited To Infect Macs Without Need For Password

Posted by Soulskill on from the sooner-or-later dept.

An anonymous reader writes: A new flaw has been discovered in the latest version of OS X which allows hackers to install malware and adware onto a Mac without the need for any system passwords, researchers say. The serious zero-day vulnerability was first identified last week and results from a modified error-logging feature in OS X Yosemite which hackers are able to exploit to create files with root privileges. The flaw is currently found in the 'fully patched' OS X 10.10.4, but is not in the newest 10.11 El Capitan beta – suggesting that Apple developers were aware of the issue and are testing a fix.

3 of 127 comments (clear)

  1. Re: Also fixed in 10.10.5 by perpenso · · Score: 5, Informative

    I just installed Win10 via upgrade and rather easily turned off almost all the reporting features within minutes from the control panel.

    You could have turned off the reporting from the installer by selecting the custom configuration option.

  2. Better link by phantomfive · · Score: 5, Informative

    Here is a better link with more technical details.

    It's a privilege escalation exploit, so an attacker would already need shell access on your computer to get something done. Every OS has privilege escalation vulnerabilities, because it's much harder to close all the holes when you allow someone to execute arbitrary code on a system.

    That said, this is a particularly braindead bug from Apple, and it is worrisome because it shows they aren't thinking about security, or don't have proper processes in place to ensure the system stays secure. Their programmers should have known better than to create that kind of environment variable so lightly.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Better link by Dutch+Gun · · Score: 5, Insightful

      Is it really too much work for a security researcher to send an e-mail to product-security@apple.com? About five seconds of searching got me Apple's support page and that e-mail address.

      This guy admittedly didn't even try. And bugs that affect functionality are an entirely different matter than serious security issues. When dealing with a zero day, the decision on whether to announce it publicly depends on a number of factors.

      The very act of announcing it publicly guarantees that new exploits will explode in the wild (as this article confirms). And the reality is that very few OS X users will have seen this idiot's initial posting a month ago. Did you? I sure didn't. In the meantime, my system was and is now vulnerable to a hell of a lot more malware than it otherwise would have been.

      Sorry, but I have to disagree with you. Bad on Apple for making a stupid mistake in the first place and being slow to fix it, but I'm not giving this guy a pass either.

      --
      Irony: Agile development has too much intertia to be abandoned now.