Security researcher Stefan Esser published the details of a vulnerability in OS X a couple weeks ago that allows an attacker to gain root privileges.
This week, Esser’s findings are back in the spotlight, due to some controversy regarding how this was done. Most people, though, are probably more interested in what the vulnerability is and how it might affect them.
The problem, in essence, is a root privilege escalation bug. Every Unix system, and OS X is no exception, has many hidden users defined by the system, besides the one or more that the average person is aware of (ie, the ones that show up on the OS X login screen). The root user is the highest of these, the one and only user that has access to everything. For this reason, access to the root user is tightly controlled. An attacker with root privileges can literally do anything to your system.
Although there are ways to gain root privileges on your Mac, they should require you to provide an admin user password, which is something an attacker hopefully won’t have. This is the issue with root privilege escalation bugs. They provide an attacker with a way to achieve root privileges without needing to know your password or anything else.
This is definitely a problem, but fortunately, it’s a smaller problem than it sounds like. First, because exploiting it requires an attacker to have some kind of access to your computer to begin with, either through some kind of physical or remote access, or through finding a way to get malware installed on your computer.
Assuming a hacker could gain that kind of access, though, this privilege escalation really doesn’t do much beyond possibly make malicious changes to your system harder to find. Malware can infect your system perfectly well, and do all the things it needs to do, without ever gaining root privileges.
The bigger problem in this story is the fact that this vulnerability, along with all the necessary information to exploit it, was disclosed by Esser without any effort to alert Apple to the problem. (In his blog post revealing the vulnerability, Esser says “At the moment it is unclear if Apple knows about this security problem or not.”)
Vulnerabilities get disclosed all the time. The problem is, researchers typically will try to abide by the ideal of responsible disclosure; ie, reporting the issue to the vendor whose product is affected, and giving them some time to fix it before going public. By not doing this, Esser has created a situation where many hackers have now become aware of a bug they weren’t previously aware of, and have full knowledge of how to exploit it.
(It could be argued that some hackers may have already known about it. However, it’s certain that most hackers did not, and now they do.) Of course, all responsibility for this issue doesn’t fall on Esser’s shoulders alone. After all, Apple wrote the code.
Further, according to information that has come out since Esser’s article was posted, they were informed about it some time ago by a South Korean researcher going by the Twitter handle “beist” (who did not seem pleased at the public release of this information). Apple needs to get a fix for this bug in place quickly at this point!
The question on most readers’ minds at this point is probably how to defend against this. Fortunately, the bug only exists in Yosemite (OS X 10.10), while previous versions of OS X and betas of El Capitan (OS X 10.11) are unaffected. For those using Yosemite, however, there’s no easy answer. Short of using software developed by Esser to protect against the bug he disclosed (trust issues, anyone?), the best way to protect yourself is to practice safe computing.
Don’t let someone you don’t know have physical or remote access to your computer, and be very careful about what you download and open. If untrusted people may have physical access to your computer, turn on FileVault in the Security & Privacy pane of System Preferences, to encrypt your hard drive and prevent anyone with physical access from being able to tamper with your system while you’re not watching.
110 Reykjavik, Iceland