Security News

Rootpipe Backdoor Flaw Not Going to be Patched on Older Versions of OS X

Posted on April 13th, 2015 by

Rootpipe
There's bad news for Mac users who aren't planning (or aren't able) to update their copies of OS X to 10.10.3.

You are at risk from a serious security bug, that could be exploited by malicious hackers to crowbar open a backdoor into your computer.

And that means that criminals could take complete control of your iMac or MacBook, stealing information, planting malware, and spying on your activities.

The security flaw is one that we have discussed on the Mac Security blog before: the so-called "Rootpipe" privilege escalation bug (CVE-2015-1130).

The good news is that Apple patched the vulnerability in its code in last week's OS X 10.10.3 update.

But there is bad news, too.

According to a blog post by Swedish security researcher Emil Kvarnhammar, who discovered and warned Apple about the Rootpipe flaw last year, only OS X Yosemite seems to be getting the fix.

Apple's engineers in Cupertino, it appears, have decided that backporting the bug fix into older versions of OS X is too much like hard work.

"Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."

The problem is, of course, that if Apple itself can't fix its legacy code because it's too tricky, there's little chance that anyone else will. In short, earlier versions of OS X aren't going to get fixed.

Which means that if you are unable to upgrade the version of OS X on your computer, you have been left—somewhat precariously—in the lurch.

Some reports claim that over 50% of Mac users are already using OS X Yosemite, which is encouraging—but that still means that approximately half of all Macs out there are running a vulnerable version of the operating system, which could potentially be exploited by hackers.

Emil KvarnhammarIn the opinion of security researcher Emil Kvarnhammar, there is only one good piece of advice that can be offered to vulnerable Mac users:

"Apple has now released OS X 10.10.3 where the issue is resolved. OS X 10.9.x and older remain vulnerable, since Apple decided not to patch these versions. We recommend that all users upgrade to 10.10.3."

I would certainly agree with that. If there is any way that you can update your Macs to 10.10.3, do so now, because Kvarnhammar says that he will be fully disclosing all details of the Rootpipe vulnerability at the end of May at a Swedish security conference.

In short, the clock is ticking for users of older versions of OS X, and it wouldn't be at all surprising to see hackers attempt to exploit the flaw.

Against that backdrop, it does seem reasonable to ask the following question: Should Apple have tried harder to protect users of older versions of OS X?

Or is it acceptable for Apple to only support those who are using the latest-and-greatest version, and thumb their noses at those who can't (or won't) upgrade to Yosemite?

What do you think? Leave a comment with your point of view below.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Alastair Houghton

    It’s worth getting this in perspective though. The #rootpipe vulnerability is only a problem for you if you allow third party log-ins to your machine. That rarely occurs outside of machines in computer labs at universities and schools, and doesn’t really affect 99% of users of Mac OS X.

    You might retort that it could be used in conjunction with some other remote access vulnerability or some kind of Trojan, which is true. However, older versions of OS X would require a breach of an admin account (which most remote attacks won’t get you… instead you’ll get into “nobody” or a special per-server account without admin privileges), and if we’re talking about Trojans it’s much easier just to convince the user to authenticate.

    So, should you worry? Probably not. Should you update to 10.10.3 if you can? Probably, yes.

    • mask_method

      Actually, to quote Kvarnhammar, from his blog, “But I actually found a way to make it work for all users later, which means that the exploit is no longer limited to admin accounts only.”

      • Alastair Houghton

        Yes, I know that. The bug that allows it to work for non-admin users doesn’t work on all versions of OS X (check the PoC exploit code). That’s why I said “OLDER VERSIONS of OS X would require a breach of an admin account”.

  • Compdub

    NOT ACCEPTABLE. My Mac is only 2 years old…. And now it shouldn’t be connected to the Internet! That’s crazy! As I am currently travelling around Australia in a Campervan (RV to the Americans out there), my Internet access is through a 4G connection on my Mobile phone. I don’t want to use Yosemite because it will result in the OS sending lots more data to the Apple cloud (for hand-off to an iPad or IPhone that I neither have nor want!) My monthly data allowance is limited and precious to me. The download of 5.5 Gb for Yosemite would use up my entire monthly limit in one go. ALSO, my hard drive is almost full (9Gb free) and while I would have room (just!) for the 5.5 Gb download – what about when it extracts itself and writes some temporary files during the upgrade? I’m pretty sure the remaining 3.5 Gb of Disk space would be insufficient! The upgrade would fail and it would be a disaster.

    I have been a long time Windows users and only two years ago bought my first MAC.
    I’d just like point out that Microsoft patched Windows XP from 2002 until 2014, 12 years, and yet Apple can’t make my system secure when it’s only two years old? DISGRACEFUL. totally NOT acceptable. Apple, you need to do better. I should at least get 4 years out of a machine that is so expensive in the first place (what the —- are we paying the premium for?). Only 2 years? Forget it. You can give me a refund on my system thanks, and I’ll go buy a Windows laptop instead. At least then I’d receive security patches for years and years.

    Not good enough Apple. Not acceptable.

  • David L

    I think it’s high time something be done about companies who sell products with defective or dangerous flaws,and refuse to make it right. These constant update cycles that often leave many behind for various reasons (hardware limitations etc.) Is unacceptable. Forcing people to buy the latest,greatest to stay safe,only until the next sloppy coding is revealed is outrageous. At least Microsoft has done a pretty good job of supporting older products. Why all the rest get away with creating a disposable product as soon as the warranty is up,or because “its too hard” is egregious behavior. What does this mean for all future products? Are we supposed to throw away a TV after a few years,or any othher electronic products? Planned obsolescence needs to be extended for more than a few years only. If your brand new car broke down as often as new software, you would not find that acceptable. Why do we put up with shoddy work from hardware/software manufactures?

  • Ronnie Reagan

    So does the Intego software protect older macs from this attack?

  • baseballmaven

    I can understand not going backward by more than 1 or 2 releases, but they really should protect older macs too.

    Meanwhile, the issue only showed up on my machine when I did a standard security update to OS X 10.9.5 GRRR

Sign up For Our Newsletter

Get the latest Mac security news direct to your inbox.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}