Few days after Apple patched the DYLD_PRINT_TO_FILE privilege-escalation vulnerability in OS X Yosemite, hackers have their hands on another zero-day bug in its operating system that allows hackers to gain root privileges to Mac computers.
Italian teenager Luca Todesco (@qwertyoruiop) has discovered two unknown zero-day vulnerabilities in Apple’s Mac OS X operating system that could potentially be exploited to gain remote access to a Mac computer.
The 18-year-old self-described hacker has also posted details of his finding with source code for an exploit on the Github repository, as well as software to mitigate the vulnerability.
OS X Zero-Day Exploit in the Wild
The hacker’s exploit makes use of two system flaws (which he dubbed ‘tpwn‘) in order to cause a memory corruption in OS X’s kernel.
Due to memory corruption, it’s possible to circumvent the space layout randomization of the kernel address, therefore bypassing the toughest level of security meant to keep out attackers away.
The attacker then gains a root shell access to the Mac computer, allowing them to:
- Install malicious programs
- Create users
- Delete users
- Trash the system
- Many more…
…even without the Mac owner’s permission.
Todesco said he had reported the issue to Apple, but did not contact the company prior to the publication of the vulnerabilities.
Todesco faced criticism for contacting Apple only a few hours before publishing his findings online and not giving the company enough time to release a security fix.
No Way Out for Mac Users
The vulnerability affects Mac OS X version 10.9.5 through version 10.10.5, the latest official build of Apple’s operating system.
Good news for Mac users who are running the latest beta of OS X El Capitan (also known as Mac OS X 10.11), as it appears that they aren’t affected by the zero-day flaws.
Until Apple patches these critical flaws, you don’t have any good options to prevent a skilled hacker from installing malware on your Mac computers, beyond using a third-party patch created by Todesco himself, called NullGuard.
However, installing a patch from a third party developer can be risky. Therefore, we advise you to thoroughly investigate the patch before installing, or it’s better to wait for an official patch certified by Apple.