Recommended + Security & Privacy + Security News

Rootpipe Flaw in OS X Could Allow Hackers to Completely Take Over Your Mac

Posted on November 5th, 2014 by

Rootpipe flaw in OS X could allow hackers to completely take over your MacFor day-to-day activities on your Mac—such as browsing the web, writing documents or checking your emails—are you using an account with Admin privileges?

I hope not. Because if you are, you're putting yourself and the data stored on your computer at greater risk.

The risk is borne out by a newly discovered vulnerability in some versions of OS X (including the newly-released 10.10 Yosemite) that could allow a hacker to take complete control of your iMac or MacBook.

Swedish security researcher, Emil Kvarnhammar, calls the as-yet-unpatched privilege escalation bug "Rootpipe," and says that a malicious hacker could gain root access—the highest level of access—without having to know a password. And once an attacker has root access, all bets are off.

"Normally there are 'sudo' password requirements, which work as a barrier, so the admin can't gain root access without entering the correct password. However, rootpipe circumvents this," Kvarnhammar was reported as saying.

A YouTube video—with a decidedly funky beat—shows the vulnerability in action:

Obviously this is a serious security hole, and eyes will be turning towards Cupertino in the hope that it will be fixed quickly.

The good news is that Kvarnhammar believes in responsible disclosure, and has not released details of how to exploit the vulnerability. If such details were made public there is a very real risk that malicious hackers could take advantage of the flaw, and use it to compromise Macs around the world—stealing information, planting malware, and generally getting up to no good.

Instead the researcher tweeted that the right thing to do was to give Apple time to issue and distribute a patch to vulnerable computers:

Kvarnhammar reported the vulnerability to Apple, sharing details with the firm's developers the day after he discovered the problem. Although Apple has not officially confirmed the flaw, it did agree that he could go public with full details about the vulnerability in January, suggesting that the company is planning to patch it.

It will be interesting to see just how long it takes Apple to push out a patch for what appears to be a serious vulnerability. It will certainly be a shame if it takes until early January for a fix to be rolled out.

System preferencesIn the meantime, while you're waiting, it's a good idea to not use a user account with Administrator rights on your Mac unless absolutely necessary.

Instead, make sure that your regular user account has "Standard" rights, and create a new account with Admin privileges for when that is required.

To create a new user account, and to adjust your existing accounts' privileges, open System Preferences and click on Users & Groups.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Coyote

    I’m interested in what this will entail (there is weak pun in there) once actually announced. I can actually imagine what it is exploiting due to the name (but you can never be sure, either). As for the issue: one should never be logged in as root, except for the tasks that involve it (and only for the time involved and only if it is a time where you have to be logged in (compare to running a command as root and yes the two are different)). Staying logged in as root is a very bad thing.

    • XFox

      You are confusing being logged as an *admin* user and being logged as root (by the way, on OS X the root user is disabled by default).

      • Coyote

        Right. But root access (privileges, but see below) is the point. And I’m also from a Unix (only in more recent years Linux, hence the wording) background. (Your) Semantics aside, my point is still the same and I was still referring to a concept – not a specific instance or example. So no, I’m not confusing anything at all (the only thing I was not aware of is a product specific i.e admin user versus… but I might add: root IS the administrator, whether you have a specific user is irrelevant[1]. add to that, as I get to below, the concept isn’t even about root/whatever. it applies equally to non-privileged users). You maybe didn’t understand my point but my point is still relevant. The idea isn’t root by itself. The idea has to do with privilege separation. It is a very basic concept that too many ignore (see how I did that ?). Incidentally, the thinking I had as I wrote that was nothing to do with Mac by itself.

        [1]The uid is the key. I can be logged in as ‘coyote’ if I want and still have same access as whatever uid exists that I grant him. I could give him a group (gid) and give the group a password. I could do whatever I want. So yes, semantics: it doesn’t matter what you call it or how you get to it, at the low level (you say you clicked post ? If you want I can go in to the sockets API but the idea is simple: different levels). The idea I gave above (in original message) is privilege separation and it is a concept – nothing else, nothing more. Again, nothing to do with product specifics, this is a family specific and actually wider than that – it is a computer security concept itself (not software level).

        • renegademag

          A year ahead of this article I’d brought up in the Apple Forums only to be told I was inept, doing something wrong. The experts hadn’t heard of anything like that, so you know, it would of been impossible.

          • Coyote

            … and I’m unsure as to what or how THAT is relevant to my message ? (Perhaps you’re not being serious, only just woke up as I wrote the below, and only thought of this after, but I find it rather relevant to anyone who seems to think these things are impossible, and would – though I imagine many would not -see and read this)

            Malware does exist in the Unix world, and even though MacOSX is based on several Unices (NeXT and one or more of the BSDs, perhaps original BSD), it isn’t any different in that regard. No operating system is 100% immune to vulnerabilities (malware included – anyone claiming otherwise is ignorant and naive); that is the only impossibility with computer security: 100% security is a myth, always has been and always will be. Even computers turned off are not 100% secure, even if they’re in a high-security building (besides manipulation, besides overpowering guards, there is locksmithing). And keyboard locks are irrelevant, too; I used to have a stash of them and that wouldn’t change the fact that if I were to remove a drive the task is so much easier (although even boot-up restrictions can be overcome, but moving the drive to another system allows for more, and more easily).

            So whether they call your point only a PoC or not, is irrelevant. Let’s be real: the most notorious Internet worm ever (most certainly one of the better known worms) is The Morris Worm, and it affected several services (yes, yes, some of them are riddled with holes over the years, but then again, that’s how it is with all software, even software that was designed with security in mind – and the services that it abused were not! – are not 100% safe). Besides that, just as an aside, while the users you listed (in that thread) might be (I honestly don’t know nor do I care) default accounts, the NAME OF A LOGIN DOES NOT EQUATE TO ITS PRIVILEGES. That is important to keep in mind. You can be all but sure root is (In normal Unices… according to the person I responded to originally, it doesn’t exist in Mac OS X – but that’s an irrelevancy as I already pointed out; the name means little, and if it did mean everything it would be a much bigger mess than things already are, and it is as messy as trolls – the race; the Tolkien kind – are hideous) privileged, and it would break many services (and configurations) otherwise; however, the key isn’t the name, the key is the uid/gid and the euid/egid of the owner of the process. Just like a system might default create a user `sync` it isn’t required (some you shouldn’t remove of course, but not all are strictly necessary, especially not the exact way it is created).

            To summarise this: I don’t know why you’re responding to me on it (again, maybe it was not 100% serious), unless maybe you’re responding to the person I responded to. But in any case, there you go – a run down of some basic truths, much of which applies equally to non computer things (let’s say nuclear power plants, for instance ? Yes, this has happened – I seem to think of two specific examples although I would have to search, and I’m not going to bother, to find the sources – and I can think of another kind of high-security building type, something to do with space exploration [or some such]).