Users should hurry to apply the update for OS X 10.10.3

Apr 10, 2015 08:24 GMT  ·  By

A hidden backdoor API in OS X versions older than 10.10 that grants root access to a user with limited privileges has been sitting in Apple’s operating system since at least 2011, when OS X 10.7 was released.

The vulnerability was patched in the latest round of security updates from the company on Wednesday, but because solving the problem (CVE-2015-1130, dubbed "rootpipe") required a large number of changes, the fix has not been back-ported to builds 10.9.x and earlier.

In December 2014, the vulnerable OS X versions (10.9, 10.8 and 10.7) accounted for 43% of the platform’s install base. In the global OS context, in March 2015, revision 10.9 was still used by 1.61% of the users.

Apple closed the bug in a second attempt

Swedish security researcher Emil Kvarnhammar discovered that the flaw was present in the Admin framework of Apple’s OS.

“The intention was probably to serve the ‘System Preferences’ app and systemsetup (command-line tool), but there is no access restriction. This means the API is accessible (through XPC) from any user process in the system,” he said in a blog post.

Exploiting it requires physical access to the device, although it can also be leveraged remotely, when combined with other remote code execution exploits.

The bug was privately disclosed to Apple in early October 2014, and later that month, Kvarnhammar provided the exploit code to the company.

Apple made more than one attempt to eliminate the bug and was able to issue a proper fix only in OS X 10.10.3. The first release of the patch occurred in OS X 10.10.2, which proved to still be vulnerable.

Exploit works with both admin and regular user accounts

During the research, the security expert initially managed to elevate access rights to “root” only in the case of admin accounts. A “root” account has full control of the machine, with read and write permissions in any area of the system.

It is not present in the Users & Groups, Users, or Accounts preferences, and it can be enabled only by someone with an administrator account, which most Mac users have because the computer is usually operated by only one person.

However, Kvarnhammar managed to find a way to extend the exploit to regular accounts too, which have much fewer privileges on the system.

“But I actually found a way to make it work for all users later, which means that the exploit is no longer limited to admin accounts only. It is as simple as sending nil to authenticateUsingAuthorizationSync instead of using the result of [SFAuthorization authorization],” he wrote in a blog post.

The researcher published the exploit code on Thursday, which should be enough of an incentive for users to switch to the latest revision of the operating system.