Apple's attempt to fix a serious security weakness in OS X has fallen short, leaving users still vulnerable to malware seizing their Macs, it is claimed.
Patrick Wardle, director of research at Synack, reckons Cupertino has not been able to fully kill off the so-called "Rootpipe" backdoor that was supposed to be eradicated in last week's OS X Yosemite 10.10.3 update. Apple has refused to address the vulnerability in older versions of OS X, such as version 10.9.x.
The Rootpipe vulnerability, present in OS X since at least 2011, allows software to gain administrator-level privileges without permission. It means innocent-looking applications can log keypresses and cause havoc on the machine, and malware exploiting the hole is apparently in the wild.
Writing on his personal Objective-See blog over the weekend, Wardle says he has written some proof-of-concept code in Python to exploit parts of the Rootpipe bug lingering in OS X 10.10.3, and has published a video of it in action: it appears to show him, as a normal user, adding read access rights to a previously inaccessible root-owned file.
Wardle, an ex-NSA staffer and former NASA intern, declined to give any further details on the hack pending a fix from Apple; he says he has privately disclosed the bug to the iGiant.
The backdoor was reported in October 2014 by Emil Kvarnhammar. Authentication checks are missing in the part of the operating system that handles configuration settings for the computer, which can be exploited to escalate privileges.
"On my flight back from presenting at Infiltrate – amazing conference, by the way – I found a novel yet trivial way for any local user to re-abuse Rootpipe, even on a fully patched OS X 10.10.3 system," Wardle wrote on his blog.
"In the spirit of responsible disclosure, at this time, I won't be providing the technical details of the attack, besides of course to Apple. However, I felt that in the meantime, OS X users should be aware of the risk."
Apple was not immediately available for comment. ®