The Mac Security Blog

Malware + Recommended + Security News

Teenager Finds OS X 10.10.5 Zero-Day Vulnerability, in His Spare Time

Posted on by

Zero-day

Oh dear.

Only days after Apple released OS X 10.10.5, fixing a host of security flaws, a further serious (and as yet unpatched) vulnerability has been made public, by an Italian teenager who says he researches security holes in his spare time.

Luca Todesco has released details of a zero-day vulnerability in OS X 10.9.5 and OS X 10.10.5, the latest shipping version of Apple’s desktop and laptop operating system.

According to MacIssues, the problem identified by Todesco lies in how OS X handles NULL pointers in programs, opening an opportunity for malicious code to bypass the operating system’s defenses.

Fortunately, the attack does depend upon unsuspecting users downloading and agreeing to execute malicious code on their computer — although, as we all know, malicious hackers are experts at using social engineering and compelling lures to trick the unwary into making unwise decisions.

Some have already criticised 18-year-old Todesco for making available proof-of-concept code that exploits the unpatched OS X vulnerability, but on Twitter he appears to be unrepentant:

Once again, I’m inclined to believe that Apple might get more assistance from independent vulnerability researchers if it were to offer a financial reward for the responsible disclosure of bugs, rather than take its current — somewhat aloof — approach.

It remains to be seen whether Apple will release a patch for this latest vulnerabilities, or attempt to wait until OS X 10.11 El Capitan ships (the beta version reportedly already thwarts this particular attack).

Personally, my hope is that they will do the right thing and protect users of their current official shipping version rather than leave them in the lurch until they are ready to upgrade.

Meanwhile, the Thunderstrike 2 vulnerability continues to remain unpatched by Apple.

One hopes that the fix for that — like Todesco’s zero-day vulnerability — will be coming sooner rather than later.

Apple, please get the bugs fixed. Then sort out your relationship with the vulnerability researchers.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →