[MacTUG] Apple patches root escalation in Yosemite, older may not see patch | MacNN
Marlon A. Griffith
m3griffi at uwaterloo.ca
Fri Apr 10 11:13:26 EDT 2015
"""
The exploit takes advantage of a flaw in the Admin framework, and "was probably to serve the "System Preferences" app and systemsetup (command-line tool)" but discoverer Emil Kvarnhammar notes that it can be used by any user process. The procedure for the attack, as well as the discovery process is laid out in a detailed blog post about the matter published yesterday.
Kvarnhammar calls the exploit "this is a local privilege escalation to root, which can be used locally or combined with remote code execution exploits." The code still requires authentication to run, and it seems likely that default OS X application sandboxing settings would prevent a malicious app from executing unless the user is persuaded by social engineering, unless distributed by an authenticated developer or somehow used through an app on the Mac App Store. However, if the user has changed the default settings to allow any code to run, regardless of signing, this is more of an issue. Remote execution through a website is theoretically possible, but at first glance the exploit doesn't seem to be accomplished through Flash or Java.
http://www.macnn.com/articles/15/04/10/exploit.demonstrated.with.physical.access.possible.remote.exploit/
"""
More information about the MacTUG
mailing list