Security News

Rootpipe Backdoor Flaw Not Going to be Patched on Older Versions of OS X

Posted on April 13th, 2015 by

Rootpipe
There’s bad news for Mac users who aren’t planning (or aren’t able) to update their copies of OS X to 10.10.3.

You are at risk from a serious security bug, that could be exploited by malicious hackers to crowbar open a backdoor into your computer.

And that means that criminals could take complete control of your iMac or MacBook, stealing information, planting malware, and spying on your activities.

The security flaw is one that we have discussed on the Mac Security blog before: the so-called “Rootpipe” privilege escalation bug (CVE-2015-1130).

The good news is that Apple patched the vulnerability in its code in last week’s OS X 10.10.3 update.

But there is bad news, too.

According to a blog post by Swedish security researcher Emil Kvarnhammar, who discovered and warned Apple about the Rootpipe flaw last year, only OS X Yosemite seems to be getting the fix.

Apple’s engineers in Cupertino, it appears, have decided that backporting the bug fix into older versions of OS X is too much like hard work.

“Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older.”

The problem is, of course, that if Apple itself can’t fix its legacy code because it’s too tricky, there’s little chance that anyone else will. In short, earlier versions of OS X aren’t going to get fixed.

Which means that if you are unable to upgrade the version of OS X on your computer, you have been left—somewhat precariously—in the lurch.

Some reports claim that over 50% of Mac users are already using OS X Yosemite, which is encouraging—but that still means that approximately half of all Macs out there are running a vulnerable version of the operating system, which could potentially be exploited by hackers.

Emil KvarnhammarIn the opinion of security researcher Emil Kvarnhammar, there is only one good piece of advice that can be offered to vulnerable Mac users:

“Apple has now released OS X 10.10.3 where the issue is resolved. OS X 10.9.x and older remain vulnerable, since Apple decided not to patch these versions. We recommend that all users upgrade to 10.10.3.”

I would certainly agree with that. If there is any way that you can update your Macs to 10.10.3, do so now, because Kvarnhammar says that he will be fully disclosing all details of the Rootpipe vulnerability at the end of May at a Swedish security conference.

In short, the clock is ticking for users of older versions of OS X, and it wouldn’t be at all surprising to see hackers attempt to exploit the flaw.

Against that backdrop, it does seem reasonable to ask the following question: Should Apple have tried harder to protect users of older versions of OS X?

Or is it acceptable for Apple to only support those who are using the latest-and-greatest version, and thumb their noses at those who can’t (or won’t) upgrade to Yosemite?

What do you think? Leave a comment with your point of view below.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →