Yosemite vunerability

sean
Valued Contributor

Zero day, more like zero responsibility!

root exploit

9 REPLIES 9

roiegat
Contributor III

Yeah this is a tough one. We were testing it last night at the Mac Admins meetup in phily. I tested it on a test macine with El Capitan and Yosemite and the results are as the article states. Crazy stuff.

mm2270
Legendary Contributor III

So, the guy's obviously a complete a-hole, so no slack there for him. He's a d*ck for releasing this without responsible disclosure.
But he does make a valid point that Apple has gotten into a really terrible habit of not back-porting fixes to previous OSes. I realize that back-porting takes some definite work on the part of developers, but in my view, it is just as irresponsible of Apple to only look to fix something this serious in an OS release that is several months away still.
As usual, the whole Mac community will be more or less forced to upgrade to El Capitan if they want to keep their Mac secure from these kinds of exploits. I really wish Apple would actually put some of those billions of dollars they make every quarter to do the necessary work of fixing this in the current shipping version of their OS. Its hard to continue to trust that Apple has its users best interests in mind when they continue to NOT do the right thing, and keep looking to cut corners all the time!

bpavlov
Honored Contributor

Apple needs to take a page from Microsoft in regards to how they support their OSes. I'm not arguing for backwards compatibility, but they should at least provide a Support Lifecycle for their products that make it clear what can be expected in terms of updates with their products. And if they find a security issue then they should fix it across all supported products at that point in time.

https://support.microsoft.com/en-gb/gp/lifeselect

Kaltsas
Contributor III

@bpavlov Yes, exactly. InfoSec is always asking me about is this supported is this not supported, why did this fix get put in. Does apple support these OSs or not. I'm like well its n-2....ish. ish. ish. Though they did eventually back port the fix for CVE-2015-1130, there needs to be a bit more consistency in their support model. Especially if they want to continue this facade of being enterprise freindly.

sean
Valued Contributor

Yes of course we want Apple to back port, especially considering they haven't end of lifed previous OS versions. However, as the guy has admitted himself, he doesn't even know if Apple fixed it intentionally in 10.11 or if it became fixed by accident, so his argument that Apple should have back ported already is ridiculous.

He needs to learn from the professionalism and maturity that someone like Emil Kvarnhammar showed with rootpipe.

Zero day threats are severe and this is only a zero day threat due to his own arrogant naivety.

Strangely enough, he hasn't announced it until he came up with a fix. I guess this is some poor attempt to get people to recognise them and get their code used.

mm2270
Legendary Contributor III

You'll get no argument from me that he's acting like a child in this situation. It does seem like he's on some kind of vendetta to trash Apple wherever possible. I get rather annoyed at these so-called "security researchers" like him that give all the other legit researches a bad name by acting like this. No matter how he feels about the company, he is putting millions of user's information at risk, and that's really low.
And yeah, I suppose its possible this got fixed by accident by way of other changes Apple made in 10.11, but unfortunately we may never even know for sure since Apple probably won't admit anything one way or another.

Regardless, it sure would be nice to see Apple post a fix for this at some point for Yosemite. It used to be that I could confidently tell folks here that fixes would make it into the current shipping OS at a minimum but past OSes were not a guarantee.
Of course if Apple doesn't even admit this vulnerability exists until they release 10.11 then they can get away with saying its fixed in the 'current release'

roiegat
Contributor III

So some good news at least. On a normal image, the script might not be as effective. It requires gcc to compile the code it writes. I just tested three machines from fresh OS builds, and since xcode isn't installed on them - gcc isn't either. When the user attempts to run the script, it tries to get gcc - which the user can't get since it's blocked by proxy and they don't have admin rights.

But still one to keep an eye on.

CasperSally
Valued Contributor II

I put in enterprise ticket asking for a fix before 10.10.5 that is smaller than their typical combo update so we can realistically push it out (as we did last year with the NTP and bash fixes).

sean
Valued Contributor

@roiegat You don't require Xcode to abuse this. It's just a line of code that anyone can run.

Speaking of which, has anyone pop down the AppleStore yet to have a play?