All Mac owners should migrate to OS X Yosemite 10.10.3 ASAP Swedish hacker Emil Kvarnhammar has reported a since-fixed four-year-old local root 'backdoor' OS X that allows remote attackers to increase the damage of their hacks. Kvarnhammar says the unpublished API, which he dubs a backdoor, grants root access to local users on unpatched boxes. The flaw (CVE-2015-1130) is fixed in Apple …
A root backdoor in an unpublished API. Discovered last October. Only patched this week.
Let's apply some 2000-year old critical thinking to this unpublished root backdoor API thing: Cui bono?
Having said that, Yosemite is totally secure now after this latest patch blob. No more unpublished API root backdoors.
Translation: the new one hasn't been found yet.
Now if Apple would provide the https or ftp link which 'wget' can download the Yosemite image from, I can get my box at home to begin downloading it and it'll be ready for me when I get home.
Or are they going to persist with having me register on their site and babysit a GUI app all weekend?
Why the resistance to registering?
The great god that is Apple is giving you the software for free so why not give them a little something in return? You do need to recharge your personal RDF from time to time. The stupid GUI provides you with an ideal opportunity to say a few prayers at the church of St Jobs.
Of you could gearch on Google for 'OSX 10.10 download'. I'm sure there are a good number of sites who will gladly supply it for you.
I'm told the installation goes rather quickly from the App store, unless you have a slooow connection to the net.
Define "slooow", I understand the download is in the order of 4-5GB, correct?
RC=0 stuartl@vk4msl-mb /tmp $ wget http://mirror.internode.on.net/pub/test/100meg.test
--2015-04-10 17:49:58-- http://mirror.internode.on.net/pub/test/100meg.test
Resolving mirror.internode.on.net... 150.101.135.3
Connecting to mirror.internode.on.net|150.101.135.3|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 100000000 (95M) [application/octet-stream]
Saving to: ‘100meg.test’
100%[===========>] 100,000,000 1.19MB/s in 1m 40s
2015-04-10 17:51:37 (980 KB/s) - ‘100meg.test’ saved [100000000/100000000]
So ~2 minutes for 100MB, that's nearly 2 hours of watching a progress bar for me. No thank-you.
Why the resistance to registering?
Why should I? I don't need to register with Canonical to download Ubuntu do I? Canonical charge me the same amount as what Apple are for updates too I might add.
Furthermore, in this age of company's customer data being tapped, why should I expose myself needlessly? Life's too short to be filling out registration forms and waiting for confirmation emails, just give me the goddamn URL and I'll be on my way.
What, the links at https://support.apple.com/downloads/ aren't good enough for you?
Care to point out the one that gives you the full OS and not just an incremental update? Looks to me the downloads there for OS X 10.10 require you to have OS X 10.10 installed in the first place. Or is there one I missed that updates OS X 10.6→ 10.10?
It's here for download https://support.apple.com/kb/DL1804?locale=en_GB
Not exactly sure what you mean by 'babysitting a GUI app'. The Appstore pretty good at resuming interrupted downloads. Sounds like you want to be angry for the sake of it.
... Whereas you could be quite reasonably angry about them not providing patches for Lion, Mountain Lion and Mavericks.
DuhIt's here for download https://support.apple.com/kb/DL1804?locale=en_GB
Err Duh, that is an update from 10.10.0 to 10.10.3 not 10.6.8 to 10.10.3.
Yeah, having patches for the older OSes would be nice too, at least for the ones they say are "supported".
As for babysitting a GUI app. I run Linux on this machine 99.9% of the time. That is what most of my applications I use run on, and what I'm most comfortable with.
Occasionally there are tasks that require MacOS X, and for that I dual-boot.
I cannot run the Apple App store from the Linux environment and have it update my MacOS X installation (and lets face it, it'd be unrealistic to expect this), and so to update MacOS X, I have to be running MacOS X at that time, which means I cannot be doing what I'd normally be doing with the computer.
Ergo, I'd be stuck with babysitting the app while it does the OS updates as the applications I'd more likely want to use are on Linux and not MacOS X.
Well, I think I'll stick with Mavericks anyway. The very slight chance that some 'l33t haxxor' will infiltrate my computer pales into insignificance beside the potential embarrassment of being seen using that battery-draining Fisher Price KindegartenOS© known as Yosemite.
They don't state anything since they can get away with it. If Apple stated that OSX 10.10 will get updates for only three years or so people would tear them a new one since the competition (Linux + Windows) get something like 10+ years of updates.
Apple computers are not for the technically oriented minds. People will buy Macs regardless with the content smile of lobotomized, bordering on Nirvana. When Apple shows no more love for the device few years from now these people will still use them since they are not aware that there will be no more updates.
"...Apple computers are not for the technically oriented minds. People will buy Macs regardless with the content smile of lobotomized, bordering on Nirvana..."
Whereas I, Sandtitz, am one of the élite cognoscenti who look down on those who merely want to get on with using a machine without having to fart about with it.
And yes, I have been involved in both H/W ands S/W support/engineering since the late 1970's, and surprisingly enough, have been a Mac user since 1990. Even the most experienced mechanics like something which they can just drive...
(Awaits hordes of downvotes from the anti-Apple mob, desperate to show how they're too cool and too technically brilliant to use something which just runs...)
All Mac owners should...
...pat themselves on the back. Well done iPeople, you've chosen well.
Thank you, I indeed think so given the fact that every Apple-provided update is still news, and needs no patch-Tuesday fudge to prevent people from realising just how many patches they are downloading. However, unlike with Microsoft Windows patches I had to manually uninstall MS Office for Mac to prevent Powerpoint from working so you can't win them all...
:)
That's true and it wouldn't be too much of a problem if Apple didn't clamp down on upgrades, which is a relatively new thing they do and the full effect of it hasn't worked its way through the system.
I'd love an MBA, but with an 8G limit there's no way. Its one thing to not be upgradable, its quite another to hold down the spec so you can't buy what you think you might need in the future.
I see Apple are still defaulting to 4G RAM. I wonder how many people are disappointed with their new mac? Oooh! A shiny new MBA with a 3.2Ghz i7 and ... 4G RAM? Non-upgradable?
Actually, OS X Security Update 2015-004 (see https://support.apple.com/en-gb/HT204659 ) which includes the CVE-2015-1130 fix, has been released for 10.8.5, 10.9.5 and 10.10.x, so in theory all these releases are still supported. However, not all of the fixes in it apply to all these OS X versions, so in practice, maybe not?
From http://www.securitytracker.com/id/1032048 ...
"A local user can exploit a flaw in the checking of XPC entitlements to gain administrative privleges [CVE-2015-1130]. OS X versions 10.10.x are affected."
El Reg draws this conclusion...
"Systems running OS X 10.8.5, 10.9.5, and 10.10 to 10.10.2, for example, are still vulnerable. If your Mac can't run Yosemite, then you're out of luck. ®"
See me after school, El Reg.
Apple just expect you to run the latest version of of MacOS10, you can run it on quite old machines. The hardware requirements for 10.10 are no different to 10.7
yes it's daft that Apple sell machines that you can't upgrade the RAM on however I can't think of a single one of those that wouldn't have been supplied with enough to run the current version.
If you're running an old computer that's 7 or more years old then you're not really likely to be that arsed about running the latest and greatest software so unlikely to rush out to install the latest revision of the operating system.
Personally I've found that 10.10 hasn't been quite as polished as earlier revisions but the current patch does seem to have brought it back to its old self, of the machines I've tried it on I've found no issues yet.
"The hardware requirements for 10.10 are no different to 10.7"
Um, the _requirements_ may not be different, if by that you mean "what those weasels who write the ad copy said", but in practice, my wife's 2011 MacBook Pro (4 GB) went from pretty darn snappy to "WTF, what is this, a 286?" in the "upgrade from 10.7 to 10.10. YMMV, certainly, but "4 Gig ought to be enough for anyone" doesn't apply to the new Vista, er, OS X.
Wait, so only the latest release of OSX is being patched, leaving the vulnerability live in 10.9 even though its a still support release? Because you want to force people to upgrade to the latest release? Even though some are running software under 10.9 which doesn't yet support 10.10?
FUCK YOU APPLE.
Sorry but I think the attitude demonstrated here by Apple toward its user base deserves harsh language. There is no polite way in which I can adequately express my opinion of exactly how much they are screwing over their user base here. I what messed up universe do you live in where you think someone actually deserves a security exploit?
1/. Then you should be old enough to exercise some judgement and self-control when posting on a family friendly website. Particularly if you want others to treat you seriously.
2/. The 'serious' point you made was that you are running software under 10.9 which doesn't yet support 10.10?
Serious point? Really? What does your 'serious' point have to do have do with the 10.10.3 release?
The 10.9 to 10.10 upgrade happened nearly a year ago. The hardware requirements for OS X Yosemite were the same as those for OS X Mavericks, thus if your Mac can run 10.9 it will run 10.10. If your third party software was incompatible with 10.10 you have had a WHOLE YEAR to either contact the developer or find an alternative software package. Instead you chose to whinge about Apple.
Idiot.
Family Friendly website? If the wording of the post was a problem, how come the moderator hasn't removed it or contacted me?
My serious point has nothing whatsoever to do with the 10.10.3 release. It was specifically to do with the OS vendor's decision not to patch a serious security vulnerability in 10.9.x which is a fully supported version of the operating system, and as far as I know hasn't bothered telling its user base.
I'm ignoring the remainder of your reply because its ridiculous, and the last bit is, well, trolling.
Have a nice day.
Is it really good form shout from the rooftops about a recently patched vulnerability and then reveal exactly how you can exploit it, literally a day after a patch has been announced, but knowing full well there are thousands, if not millions, of systems that are still unpatched, where some are likely to remain unpatched due to essential legacy software?
While I commend the security researchers for their work, I utterly damn them to hell for revealing the exact details of the exploit a mere day after the patch was released.
While I, like you, are always interested in the exact methodology, it's not always a good thing to make it public. In this case especially considering that it was simply one person who discovered the exploit, and yet now the whole world now knows about it, and can now use it.
While security through obscurity is generally an extremely bad idea, sometimes we need this obscurity thing to last a little longer.
Well, no?
In the "trusecdev" article linked in the fourth paragraph, the discoverer of the vulnerability states that it works on all versions back to 10.7.x, and conceivably earlier but he didn't have a 10.6.x version to test with:
https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/
He also states in his discussions with Apple, that: "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."
And in the comment section of that article--despite one poster who erroneously believed Apple's patch applied to his older OS version--posters are confirming the exploit works on older OS versions, and that apple's latest patch indeed does not fix the problem on older versions.
Substantial amount of changes. Yeah. I can't blame a struggling company like Apple for not going back to fix even the last version before. When money is tight you have to make sacrifices. I've seen the new low end iMac and can see their struggles have been showing...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
