One recent security flaw in Apple’s Mac OS platform that gained some press recently was the Rootpipe vulnerability, where security researcher Emil Kvarnhammer found a method of hacking a Mac that could bypass OS X’s security and allow the hacker to gain full administrative control of the system. This issue, which took advantage of faulty entitlements for XPC processes (small tools launched on the behalf of an application to take on workloads and spread the risk of a crash from affecting the main application), allowed a developer to break the sandboxing rules in OS X.
These sandboxing rules keep applications from gaining privileges and changing aspects of the system the developer does not intend, and by breaking them, Kvarnhammer could gain full access to a system.
This issue was revealed last year, and was expected to be tackled by Apple in January; however, with the release of OS X 10.10.2 and corresponding security updates, Apple had not yet patched this hole. Granted the issue was not one found to be used in the wild by hackers, but was one that caused concern in the community, especially given that once discusses, it would undoubtedly be added to the list of potential vulnerabilities used by malicious individuals.
This among many similar vulnerabilities that are outlined and tackled on a regular basis are the main reason for small updates and security patches, so while you might be considering OS X 10.10.3 and other updates for potential flaws, risks to your workflow, and unwanted changes to how you use your Mac, overall they are highly recommended to install ASAP in order to close holes such as this. Furthermore, once a vulnerability has been patched, it and the methods of using it tend to be discussed more, meaning that unpatched systems are at an even greater risk after an update has been issued.
When Rootpipe was found, the recommended approaches for securing your Mac by Emil Kvarnhammer were to turn on many of Apple’s security features, including demoting your main user account to a standard one and setting up a dedicated and relatively unused account for administrative purposes, and to enable and use FileVault to encrypt your entire drive. Even though this vulnerability has been patched, these security approaches still apply for ensuring your Mac is as safe as possible.
any one have a feel what we can do to patch the older oses? beyond the security practices mentioned, a real fix somehow? or is it in the proprietary areas of osx?
I know several people are looking into it, including the security expert that originally found the vulnerability, but nothing has been shown to completely fix older systems. But yes, technical discussions regarding this subject are closely held by Apple Product Security for obvious reasons.
The best way to approach OS X updates, and security updates in particular, is to back up your system, with Time Machine and/or a full system clone. That way you can get the necessary security fixes and have a way to revert your system if something should go wrong. Of course, updates aren’t the only thing that can trash your system – regular backups cover those contingencies as well. It cannot be repeated too often that there are only two kinds of computer users: those who have lost data and those who are going to lose data. If you think it cannot happen to you, you’re fooling yourself and will live to regret it.
That said, Topher, what I’m really anxious to learn is if the OS X 10.10.3 update really fixed what was ailing Yosemite. Or do serious flaws remain? Please let us know when you have some answers to these questions.
This is incorrect:
“However, with this latest round of updates, including OS X 10.10.3 and security updates 2015-004, Apple has specifically noted that the sandbox entitlements for XPC services that allowed for Rootpipe have been updated to no longer allow this vulnerability.”
Per Apple doc “About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 – Apple Support”:
Admin Framework
***AVAILABLE FOR: OS X YOSEMITE V10.10 TO V10.10.2***
Impact: A process may gain admin privileges without properly authenticating
Description: An issue existed when checking XPC entitlements. This issue was addressed with improved entitlement checking.
CVE-ID
CVE-2015-1130 : Emil Kvarnhammar at TrueSec
(Emphasis added)
Completing my original thought… The vulnerability has been patched in Yosemite, but Security Update(s) 2015-004, which apply to Mountain Lion and Mavericks do NOT include the fix.
Anyone know if OS X 10.6.8 is vulnerable to this exploit?
Apparently nobody knows. If you read through his comments at
https://truesecdev.wordpress.com/2015/04/09/ Emil has not tested it and will not be as he doesn’t have access to a Snow Leopard installation.
I have not run across anybody else who has tried to test it.
Looks like Snow Leopard is affected. In the comments of the original blog post, a commenter named Felipe successfully compromised Snow Leopard with an Objective-C version of the exploit. Snow Leopard was immune to a python script version of the exploit.
Snow Leopard aside, what I find amazing and beyond disappointing, infuriating, in fact, is that as it stands, Apple has chosen to drop support for Mt. Lion and Mavericks, and OS X 10.11 (code named San Andreas Fault) hasn’t even been announced, let alone released.
THE ENTIRE APPLE PLATFORM HAS BEEN REDUCED TO JUST ONE SUPPORTED VERSION OF OS X.
There’s an interesting article by author and hacker ‘fG’ about the Rootpipe backdoor calling BS on Apple for NOT fixing the vulnerability in 10.9 and 10.8. He offers a method of patching the vulnerability that he state Apple could provide themselves.
“How to fix rootpipe in Mavericks and call Apple’s bullshit bluff about rootpipe fixes”
https://reverse.put.as/2015/04/13/how-to-fix-rootpipe-in-mavericks-and-call-apples-bullshit-bluff-about-rootpipe-fixes/
The author points out that there has been malware in-the-wild exploiting the Rootpipe backdoor since 2014! IOW: There was a zero day exploit a year ago.
Because exploiting Rootpipe requires hands-on access to any Mac, this isn’t considered a critical vulnerability for solo Mac users outside of an open work environment. But it appears to be disingenuous of Apple to NOT patch it for 10.9 and 10.8. I also have to point out that Apple already took a great deal of time to release the 10.10.3 patch, seeing as the vulnerability was first described and disclosed to Apple last October, 2014. This is not pleasing and indicates a level of laziness on Apple’s part. I was hoping the bad old days of Apple security laziness were over.
Adding to my previous post about the Rootpipe situation:
For reasons I cannot fathom, some security commentators (such as Steve Gibson from the ‘Security Now!’ podcast, have interpreted the Rootpipe exploit to be limited to hacking into Administrator accounts on OS X only. This is WRONG. Emil explicitly states that he was able to perform the full exploit from a STANDARD user account. Please share this with others and provide this reference, repeating what my pal alvarnell already linked above:
Hidden backdoor API to root privileges in Apple OS X
https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/
To quote Emil Kvarnhammar:
“But I actually found a way to make it work for all users later, which means that the exploit is no longer limited to admin accounts only.”
Emil then discusses in some detail how he worked around the Standard account limitation to perform the FULL exploit.
Conclusion: Running your Mac from a Standard account will NOT protect you from the Rootpipe exploit on OS X 10.9 on down.
Here is a naughty word censored version of a comment I attempted to post earlier:
There’s an interesting article by author and hacker ‘fG’ about the Rootpipe backdoor calling shenanigans on Apple for NOT fixing the vulnerability in 10.9 and 10.8. He offers a method of patching the vulnerability that he states Apple could provide themselves.
“How to fix rootpipe in Mavericks and call Apple’s [shenanigans] bluff about rootpipe fixes”
– Visit: https://reverse.put.as
– Search for his article on 2015/04/13
– I’ve avoided providing the link in order to avoid triggering the naughty word filter.
The author points out that there has been malware in-the-wild exploiting the Rootpipe backdoor since 2014! IOW: There was a zero day exploit a year ago.
Because exploiting Rootpipe requires hands-on access to any Mac, this isn’t considered a critical vulnerability for solo Mac users outside of an open work environment. But it appears to be disingenuous of Apple to NOT patch it for 10.9 and 10.8. I also have to point out that Apple already took a great deal of time to release the 10.10.3 patch, seeing as the vulnerability was first described and disclosed to Apple last October, 2014. This is not pleasing and indicates a level of laziness on Apple’s part. I was hoping the bad old days of Apple security laziness were over.