[MacTUG] Apple patches root escalation in Yosemite, older may not see patch | MacNN

Mike Patterson mpatterson at uwaterloo.ca
Fri Apr 10 15:39:34 EDT 2015 

I’ve posted this link to the security working group as well, with the following commentary (apologies to people who are now seeing this for the second time):

So, while Apple has traditionally provided security patches for releases X-1 and X (and sometimes going X-2), they’ve broken the de facto support of “2-3 most recent releases” with the latest 10.10.3 patch:
http://www.macnn.com/articles/15/04/10/exploit.demonstrated.with.physical.access.possible.remote.exploit/

While we don’t have a good way to enumerate MacOS releases (in the past I’ve fudged it based on user-agent strings seen in http connection logs) I think it’s pretty safe to say we’ve got several dozens to hundreds of systems on releases older than 10.9, never mind 10.10.

Now, Apple is correct in that the physical security requirement is a mitigating factor for *this* vulnerability, but I think this should be an impetus for anybody at a release older than 10.9 to be upgrading ASAP - Apple have now set a precedent for not fixing a serious vulnerability if they deem it too difficult to do.

> On Apr 10, 2015, at 11:13 AM, Marlon A. Griffith <m3griffi at uwaterloo.ca> wrote:
> 
> """
> The exploit takes advantage of a flaw in the Admin framework, and "was probably to serve the "System Preferences" app and systemsetup (command-line tool)" but discoverer Emil Kvarnhammar notes that it can be used by any user process. The procedure for the attack, as well as the discovery process is laid out in a detailed blog post about the matter published yesterday.
> 
> Kvarnhammar calls the exploit "this is a local privilege escalation to root, which can be used locally or combined with remote code execution exploits." The code still requires authentication to run, and it seems likely that default OS X application sandboxing settings would prevent a malicious app from executing unless the user is persuaded by social engineering, unless distributed by an authenticated developer or somehow used through an app on the Mac App Store. However, if the user has changed the default settings to allow any code to run, regardless of signing, this is more of an issue. Remote execution through a website is theoretically possible, but at first glance the exploit doesn't seem to be accomplished through Flash or Java.
> 
> http://www.macnn.com/articles/15/04/10/exploit.demonstrated.with.physical.access.possible.remote.exploit/
> """
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug

More information about the MacTUG mailing list