Bad news Mac users – even if you have kept your operating system up-to-date, it looks like your computer is still vulnerable to the Rootpipe flaw.
A quick recap for those who haven’t been following the Rootpipe saga closely:
Back in October 2014, Swedish white-hat hacker Emil Kvarnhammar revealed that he had uncovered a dangerous vulnerability in some versions of OS X (including the then newly-released 10.10 Yosemite) that could allow a hacker to take complete control of your desktop Mac or MacBook laptop.
Dubbed Rootpipe, the privilege escalation bug was also given the geeky moniker CVE-2015-1130.
Being a decent fellow, Kvarnhammar said that he would not make details of the Rootpipe vulnerability public until Apple patched the flaw – which they did (along with many other security bugs) earlier this month.
Unfortunately, a few days later, it became clear that although Apple claimed to have fixed the Rootpipe vulnerability in OS X 10.10.3, they had no plans to patch older, pre-Yosemite, versions of the operating system – leaving Mac users at risk.
Which isn’t great.
But what’s worse is that it is now claimed that Apple’s Rootpipe fix for OS X Yosemite 10.10.3 users is itself flawed, meaning the backdoor vulnerability remains on all Macs.
Oh dear.
Patrick Wardle, director of R&D at Synack, says that he stumbled across a “trivial way for any local user to re-abuse rootpipe” while flying back from a security conference.
He created a video to demonstrate the flaw in action:
Wardle says on his blog that he is not making details of how to exploit the vulnerability public at this time, but has shared information with Apple’s security team.
All eyes now turn to Apple for a response, and – if you’re concerned about the vulnerability – it would make sense to take care over who you allow to use your computer.
Let’s all hope that Apple will fix the problem once and for all now, and – hey Apple! – how about providing some protection for users of older versions of OS X at the same time, eh?
On my personal laptop, and on essentially all MacOS installations, local user privilege escalation is not, by itself, a significant problem. The only authorized user – me – is authorized to escalate privilege at will, although I guard that with some care.
The problem would be far more serious combined with one allowing unauthenticated remote access as an ordinary user. Apple should, of course, correct this with minimum delay.
"On my personal laptop, and on essentially all MacOS installations, local user privilege escalation is not, by itself, a significant problem."
Yes it absolutely is a problem, regardless of what you believe: it isn't as simple as you make it out to be. Escalation is always a problem, whether you acknowledge it or not (it need not even be a person doing this, and causing problems). Most importantly, privilege escalation IS a breach of security, and it is a rather serious one at that (but why ignore any security problem? That's asking for trouble).
"The problem would be far more serious combined with one allowing unauthenticated remote access as an ordinary user. Apple should, of course, correct this with minimum delay."
Define 'allow'. Remote execution of (arbitrary) code, remote holes allowing access (which then becomes local) (and yes, the former can result in the latter), malware (yes it exists, and anyone who claims otherwise is very naive or ignorant to history – Unix was not designed with security in mind and anything deriving from it – in fact, all software – suffers from this[1]), and those are more obvious examples. Furthermore, call this what you will, but after remotely logging in to a server, the user is no longer remote but local (yes, yes, there's some semantics with 'logging in' and 'local' versus 'remote' but that doesn't change the fact that if I have shell access on a remote server, and I am logged in, at the command prompt, over the wire, the session is local in every way that matters [despite the fact that the connection is remote]: if the system isn't configured properly, I could cause it to halt in ~1ms by one command, or alternatively, after writing a small, very basic amount of C [for example], compiling it and running it. This does NOT require privilege separation, either, and then you consider remote code execution).
[1] One might argue that some software is designed with security in mind, for example OpenBSD. Well yes, this is true, it is hardened out of the box. But the fact remains that inherently all software is vulnerable/flawed in some form or another, and there's always going to be things missed. For instance, version 1 of ssh allowed MiTM attacks. This includes OpenSSH and guess where it comes from (and to say it was ssh itself is ignoring the point because ssh is hardly the only software that has had this problem, and in any case, the link between OpenBSD and OpenSSH is relevant when you consider that they were designed with security in mind).
"… – hey Apple! – how about providing some protection for users of older versions of OS X at the same time, eh?"
If only Apple actually cared about users of older versions of OS X (…sigh). But they don't. They prove it over and over, not least in their refusal even to warn users of older versions of a cut-off date by which they will cease supporting any given version.
Our concept of responsible computer use requires us to keep our computers fully patched, not just so we stay secure, but also so we don't spread malware to other systems we interact with on a daily basis. So, when Apple drops support for our older version of OS X, we’re forced to "upgrade" to a newer version.
The last jump (from Snow Leopard to Mountain Lion) took about three months of testing hundreds of apps and plugins for compatibility on a cloned test-bed boot drive while trying to keep production moving. (We have 12 Macs at this location.)
Meanwhile, increasing numbers of developers continued to drop support for Snow Leopard (even before Apple did!), thereby increasing our exposure through apps that could no longer be patched. Yet, installing the latest version of OS X wasn't possible because of production software incompatibilities (some in Apple's own software) that remained unfixed in the more recent versions of OS X.
So yeah…I'm all in favor of Apple supporting "older versions". But the trend seems to be in the other direction. And beyond encouraging everyone who reviles that trend to bombard Apple with feedback, there doesn't seem to be much that one can do except accommodate Apple's accelerated program of forced obsolescence. It sucks for anyone who uses the Mac in a production environment.