[dba-Tech] Your Apple's Mac computer is vulnerable to a serious privilege escalation flaw even if you are running the latest version of Mac OS X.

Jim Lawrence accessd at shaw.ca
Sat Apr 25 03:01:10 CDT 2015


Wow, but not surprising. We will now have to wait and see if Apple gets it right and fixes this hole in their OS. The trouble is, that even with the best intentions, it can be very expensive and time-consuming to fix these bugs...and that's just the cost of damage control...diverting resources to really fix errors is another expense and the fixes have to be broadcast around the world. 

Take for example the 18 years old Microsoft SMB (Server Message Block) bug. In around 1998, it had become apparent the SMB communications method, used by all versions of Windows, is one of the very common APIs used in many Windows apps. It originally, only used plain text but encryption was added. The application's cypher method may have been good in 1998 but it can be easily cracked now. SMB also uses the two out bound network ports, TCP 139 and TCP 445 which should be blocked, especially outside the local network. Adware and  Malware commonly uses these ports to call back to the mother-ship, so to speak...if these ports are stopped, many Malware packages can not progress.

http://thehackernews.com/2015/04/smb-windows-vulnerability.html

...and: http://cdn2.hubspot.net/hubfs/270968/SPEAR/RedirectToSMB_public_whitepaper.pdf?t=1429209774760

Jim

----- Original Message -----
From: "John R Bartow" <jbartow at winhaven.net>
To: "Discussion of Hardware and Software issues" <dba-tech at databaseadvisors.com>
Sent: Tuesday, April 21, 2015 8:50:30 AM
Subject: [dba-Tech] Your Apple's Mac computer is vulnerable to a serious	privilege escalation flaw even if you are running the latest	version of Mac OS X.

Apple Failed to Patch Rootpipe Mac OS X Yosemite Vulnerability
Sad but True! Your Apple's Mac computer is vulnerable to a serious privilege
escalation flaw, dubbed "RootPipe," even if you are running the latest
version of Mac OS X.

What's RootPipe?
Back in October 2014, a Swedish White Hat hacker Emil Kvarnhammar claimed to
have discovered a critical privilege escalation vulnerability, he dubbed the
backdoor as "RootPipe," in some versions of Mac OS X including the then
newest version 10.10 Yosemite.
The vulnerability (CVE-2015-1130) could allow an attacker to take full
control of your desktop Mac computer or MacBook laptop, even without any
authentication.
Keeping in mind the devastating effect of the RootPipe vulnerability, the
researcher privately reported the flaw to Apple and did not disclose the
details of the flaw publicly until the company released a patch to fix it.

Apple did release an update but failed to patch RootPipe:
Earlier this month, Apple released the latest version of Mac OS X Yosemite,
i.e. OS X Yosemite 10.10.3, and claimed to have fixed the so-called Rootpipe
backdoor, which had been residing on Mac computers since 2011.
However, the company did not fix the flaw in the older versions (below
10.10) of the operating system due to uncodified Apple policy on patching,
leaving tens of millions of Mac users at risk.
"Apple indicated that this issue required a substantial amount of changes on
their side and that they would not backport the fix to 10.9.x and older,"
Kvarnhammar said in a blog post on the TrueSec website.

But here's the worse part:
Apple's RootPipe vulnerability patch for Mac OS X Yosemite 10.10.3 is
claimed to be itself vulnerable, which again left all the Mac machines
vulnerable to the RootPipe attacks.
Holy Crap!

Patrick Wardle, an ex-NSA staffer and current director of R&D at Synack,
claimed to have discovered.
...a new way around Apple's security fix to reabuse the Rootpipe
vulnerability, again opening path to the highest privilege level - root
access.
Though this time, the attack requires a hacker to have gained local
privileges, which could most likely be obtained via a working exploit of
other software sitting on Mac machines.
Wardle has already reported his findings to the Apple's security team and
would not disclose the details of his attack code public before the company
will not issue a complete and unbreakable fix.
Now, let's just hope to get a tough fix for Rootpipe backdoor this time from
Apple. Last time the company took nearly six months to release a patch that
was fooled by Wardle sitting on a flight.

_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com


More information about the dba-Tech mailing list