back to article All Mac owners should migrate to OS X Yosemite 10.10.3 ASAP

Swedish hacker Emil Kvarnhammar has reported a since-fixed four-year-old local root 'backdoor' OS X that allows remote attackers to increase the damage of their hacks. Kvarnhammar says the unpublished API, which he dubs a backdoor, grants root access to local users on unpatched boxes. The flaw (CVE-2015-1130) is fixed in Apple …

  1. ST Silver badge

    what a timely patch fix

    A root backdoor in an unpublished API. Discovered last October. Only patched this week.

    Let's apply some 2000-year old critical thinking to this unpublished root backdoor API thing: Cui bono?

    Having said that, Yosemite is totally secure now after this latest patch blob. No more unpublished API root backdoors.

    Translation: the new one hasn't been found yet.

  2. Anonymous Coward
    Holmes

    Easy

    "Attackers can pull off the hack by sending a nil, a kind of NULL for Object C,Kvarnhammar says."

    Just tell the Mac "We are the Knights who say Nil". Presto - you're in.

    1. Khaptain Silver badge

      Re: Easy

      Nietzsche would have found this your approach a lit bit Nilistic..... groan......

      [It's Friday and I'm on half day.....pub o'oclock will be earlier than usual ]

  3. Anonymous Coward
    Anonymous Coward

    Great

    Now if Apple would provide the https or ftp link which 'wget' can download the Yosemite image from, I can get my box at home to begin downloading it and it'll be ready for me when I get home.

    Or are they going to persist with having me register on their site and babysit a GUI app all weekend?

    1. chivo243 Silver badge

      Re: Great

      I'm told the installation goes rather quickly from the App store, unless you have a slooow connection to the net.

    2. Steve Davies 3 Silver badge

      Re: Great

      Why the resistance to registering?

      The great god that is Apple is giving you the software for free so why not give them a little something in return? You do need to recharge your personal RDF from time to time. The stupid GUI provides you with an ideal opportunity to say a few prayers at the church of St Jobs.

      Of you could gearch on Google for 'OSX 10.10 download'. I'm sure there are a good number of sites who will gladly supply it for you.

    3. Tac Eht Xilef

      Re: Great

      What, the links at https://support.apple.com/downloads/ aren't good enough for you?

      Now you have that, you can do your own search for cheese to go with your whine...

      1. Anonymous Coward
        Anonymous Coward

        Re: Great

        I'm told the installation goes rather quickly from the App store, unless you have a slooow connection to the net.

        Define "slooow", I understand the download is in the order of 4-5GB, correct?

        RC=0 stuartl@vk4msl-mb /tmp $ wget http://mirror.internode.on.net/pub/test/100meg.test

        --2015-04-10 17:49:58-- http://mirror.internode.on.net/pub/test/100meg.test

        Resolving mirror.internode.on.net... 150.101.135.3

        Connecting to mirror.internode.on.net|150.101.135.3|:80... connected.

        HTTP request sent, awaiting response... 200 OK

        Length: 100000000 (95M) [application/octet-stream]

        Saving to: ‘100meg.test’

        100%[===========>] 100,000,000 1.19MB/s in 1m 40s

        2015-04-10 17:51:37 (980 KB/s) - ‘100meg.test’ saved [100000000/100000000]

        So ~2 minutes for 100MB, that's nearly 2 hours of watching a progress bar for me. No thank-you.

        Why the resistance to registering?

        Why should I? I don't need to register with Canonical to download Ubuntu do I? Canonical charge me the same amount as what Apple are for updates too I might add.

        Furthermore, in this age of company's customer data being tapped, why should I expose myself needlessly? Life's too short to be filling out registration forms and waiting for confirmation emails, just give me the goddamn URL and I'll be on my way.

        What, the links at https://support.apple.com/downloads/ aren't good enough for you?

        Care to point out the one that gives you the full OS and not just an incremental update? Looks to me the downloads there for OS X 10.10 require you to have OS X 10.10 installed in the first place. Or is there one I missed that updates OS X 10.6→ 10.10?

    4. Dan 55 Silver badge

      Re: Great

      https://support.apple.com/kb/DL1804

    5. Chris 3

      Duh

      It's here for download https://support.apple.com/kb/DL1804?locale=en_GB

      Not exactly sure what you mean by 'babysitting a GUI app'. The Appstore pretty good at resuming interrupted downloads. Sounds like you want to be angry for the sake of it.

      ... Whereas you could be quite reasonably angry about them not providing patches for Lion, Mountain Lion and Mavericks.

      1. Anonymous Coward
        Anonymous Coward

        Re: Duh

        Duh

        It's here for download https://support.apple.com/kb/DL1804?locale=en_GB

        Err Duh, that is an update from 10.10.0 to 10.10.3 not 10.6.8 to 10.10.3.

        Yeah, having patches for the older OSes would be nice too, at least for the ones they say are "supported".

        As for babysitting a GUI app. I run Linux on this machine 99.9% of the time. That is what most of my applications I use run on, and what I'm most comfortable with.

        Occasionally there are tasks that require MacOS X, and for that I dual-boot.

        I cannot run the Apple App store from the Linux environment and have it update my MacOS X installation (and lets face it, it'd be unrealistic to expect this), and so to update MacOS X, I have to be running MacOS X at that time, which means I cannot be doing what I'd normally be doing with the computer.

        Ergo, I'd be stuck with babysitting the app while it does the OS updates as the applications I'd more likely want to use are on Linux and not MacOS X.

    6. Mark 65 Silver badge

      Re: Great

      Or are they going to persist with having me register on their site and babysit a GUI app all weekend?

      softwareupdate -h

      Don't forget to sudo before running the actual install.

  4. Sebby
    Unhappy

    It Just Means

    That Mountain Lion and Mavericks aren't really supported. A great shame if you happen to think either suits you better than Yosemite.

    I mean you don't "Support" an OS by leaving great gaping holes in it, do you?

    :(

    1. big_D Silver badge

      Re: It Just Means

      And Lion? I can't even get Mountain Lion on my Macs.

      1. Dan 55 Silver badge

        Re: It Just Means

        If you've got an x86 Mac, you can probably get Yosemite running with the Clover EFI. Google it and you should find tutorials.

    2. Phuq Witt
      Facepalm

      Re: It Just Means

      Well, I think I'll stick with Mavericks anyway. The very slight chance that some 'l33t haxxor' will infiltrate my computer pales into insignificance beside the potential embarrassment of being seen using that battery-draining Fisher Price KindegartenOS© known as Yosemite.

      1. Anonymous Coward
        Anonymous Coward

        Re: It Just Means

        love this comment - wtf Apple thought when going 'flat' on design ...

    3. P. Lee Silver badge

      Re: It Just Means

      >[It Just Means] That Mountain Lion and Mavericks aren't really supported.

      or that one of the patches in the "Yosemite" bundle for OSX fixes the issue?

      Says the man still running snow leopard... :)

  5. fnusnu

    Another epic Apple EOL fail

    For the love of $deity when will Apple actually make a definitive statement on the end of life of their products and operating systems?

    Every other major manufacturer / software company manages to.

    1. Sandtitz Silver badge

      Re: Another epic Apple EOL fail

      They don't state anything since they can get away with it. If Apple stated that OSX 10.10 will get updates for only three years or so people would tear them a new one since the competition (Linux + Windows) get something like 10+ years of updates.

      Apple computers are not for the technically oriented minds. People will buy Macs regardless with the content smile of lobotomized, bordering on Nirvana. When Apple shows no more love for the device few years from now these people will still use them since they are not aware that there will be no more updates.

      1. Ted Treen
        Happy

        Re: Another epic Apple EOL fail

        "...Apple computers are not for the technically oriented minds. People will buy Macs regardless with the content smile of lobotomized, bordering on Nirvana..."

        Whereas I, Sandtitz, am one of the élite cognoscenti who look down on those who merely want to get on with using a machine without having to fart about with it.

        And yes, I have been involved in both H/W ands S/W support/engineering since the late 1970's, and surprisingly enough, have been a Mac user since 1990. Even the most experienced mechanics like something which they can just drive...

        (Awaits hordes of downvotes from the anti-Apple mob, desperate to show how they're too cool and too technically brilliant to use something which just runs...)

        1. Mark 65 Silver badge

          Re: Another epic Apple EOL fail

          A better statement would be that they don't inform of software lifecycles as it may affect hardware sales as most people will upgrade the hardware and get the OS pre-installed.

  6. Dan 55 Silver badge
    Mushroom

    Six months to patch in an if object != NULL or however you do it in Obj C is completely unacceptable

    Apple, when are you going to take security seriously?

  7. Anonymous Coward
    Anonymous Coward

    All Mac owners should...

    ...pat themselves on the back. Well done iPeople, you've chosen well.

    1. Anonymous Coward
      Anonymous Coward

      Re: All Mac owners should...

      All Mac owners should...

      ...pat themselves on the back. Well done iPeople, you've chosen well.

      Thank you, I indeed think so given the fact that every Apple-provided update is still news, and needs no patch-Tuesday fudge to prevent people from realising just how many patches they are downloading. However, unlike with Microsoft Windows patches I had to manually uninstall MS Office for Mac to prevent Powerpoint from working so you can't win them all...

      :)

  8. tempemeaty
    FAIL

    ...you're out of luck.

    I would love to upgrade. Oh that's right. I CAN'T. Why? I need more RAM.

    The jack ass control freaks running Apple made these things so the owners can't upgrade their RAM. Nice isn't it...

    1. Chris 3

      Re: ...you're out of luck.

      Hang on? I've got 10.10.3 running on a 2007 iMac with 3Gigs of RAM. I agree about the stupidity of the new 21" iMacs not having accessible RAM slots, but if you've got one of those, it wouldn;t have shipped with less than 8Gigs.

    2. Marc 25

      Re: ...you're out of luck.

      Apple: Can't upgrade any further your OS any further? awww thats a shame. I guess it's time for an updated bit of kit? Here let me help you with that!

      Do you see how this consumerism thing works now?

      1. Anonymous Coward
        Anonymous Coward

        Re: ...you're out of luck.

        Sure. You try Vista or above on a box that used to run XP and see how far you got.

        There is another reason why I like Apple: they can't use the "must be the driver" excuse if something doesn't work.

        1. david 12 Bronze badge

          Re: ...you're out of luck.

          No, don't try Vista. It doesn't run as well as XP. Try Win7. It runs better than XP.

          Personally, do not like Win7 as well as XP, but it runs perfectly OK on those XP boxes that weren't so old that they've already suffered hardware failure of one form or another.

  9. knarf

    Not for older MACs

    Apple stops you upgrading if your mac is too old..... sorry not supported .....sorry.... buy a new mac buddy....

    1. Ted Treen

      Re: Not for older MACs

      My Early 2009 MacPro is running Yosemite quite happily. It's a 6-yr old machine, and still does all I ask it to do, including quite heavy Photoshop work with 210Mb 14-bit TIFFS (Exported Raw files from my D800).

    2. P. Lee Silver badge

      Re: Not for older MACs

      That's true and it wouldn't be too much of a problem if Apple didn't clamp down on upgrades, which is a relatively new thing they do and the full effect of it hasn't worked its way through the system.

      I'd love an MBA, but with an 8G limit there's no way. Its one thing to not be upgradable, its quite another to hold down the spec so you can't buy what you think you might need in the future.

      I see Apple are still defaulting to 4G RAM. I wonder how many people are disappointed with their new mac? Oooh! A shiny new MBA with a 3.2Ghz i7 and ... 4G RAM? Non-upgradable?

  10. /dev/null

    Actually, OS X Security Update 2015-004 (see https://support.apple.com/en-gb/HT204659 ) which includes the CVE-2015-1130 fix, has been released for 10.8.5, 10.9.5 and 10.10.x, so in theory all these releases are still supported. However, not all of the fixes in it apply to all these OS X versions, so in practice, maybe not?

    1. Dan 55 Silver badge
      Headmaster

      From http://www.securitytracker.com/id/1032048 ...

      "A local user can exploit a flaw in the checking of XPC entitlements to gain administrative privleges [CVE-2015-1130]. OS X versions 10.10.x are affected."

      El Reg draws this conclusion...

      "Systems running OS X 10.8.5, 10.9.5, and 10.10 to 10.10.2, for example, are still vulnerable. If your Mac can't run Yosemite, then you're out of luck. ®"

      See me after school, El Reg.

  11. Matthew 17

    It's all just OS 10

    Apple just expect you to run the latest version of of MacOS10, you can run it on quite old machines. The hardware requirements for 10.10 are no different to 10.7

    yes it's daft that Apple sell machines that you can't upgrade the RAM on however I can't think of a single one of those that wouldn't have been supplied with enough to run the current version.

    If you're running an old computer that's 7 or more years old then you're not really likely to be that arsed about running the latest and greatest software so unlikely to rush out to install the latest revision of the operating system.

    Personally I've found that 10.10 hasn't been quite as polished as earlier revisions but the current patch does seem to have brought it back to its old self, of the machines I've tried it on I've found no issues yet.

    1. Mike 16 Silver badge

      Re: It's all just OS 10

      "The hardware requirements for 10.10 are no different to 10.7"

      Um, the _requirements_ may not be different, if by that you mean "what those weasels who write the ad copy said", but in practice, my wife's 2011 MacBook Pro (4 GB) went from pretty darn snappy to "WTF, what is this, a 286?" in the "upgrade from 10.7 to 10.10. YMMV, certainly, but "4 Gig ought to be enough for anyone" doesn't apply to the new Vista, er, OS X.

    2. Mark 65 Silver badge

      Re: It's all just OS 10

      The hardware requirements for 10.10 are no different to 10.7

      What, other than the 64-bit requirement meaning a 2008 Macbook will not run it?

  12. Anonymous Coward
    Anonymous Coward

    Wait, so only the latest release of OSX is being patched, leaving the vulnerability live in 10.9 even though its a still support release? Because you want to force people to upgrade to the latest release? Even though some are running software under 10.9 which doesn't yet support 10.10?

    FUCK YOU APPLE.

    1. Anonymous Coward
      Anonymous Coward

      Welcome back Eadon.

    2. Fink-Nottle

      karma

      With language like that, I can't think of a more deserving recipient of a security exploit ...

      1. Anonymous Coward
        Anonymous Coward

        Re: karma

        Sorry but I think the attitude demonstrated here by Apple toward its user base deserves harsh language. There is no polite way in which I can adequately express my opinion of exactly how much they are screwing over their user base here. I what messed up universe do you live in where you think someone actually deserves a security exploit?

        1. Fink-Nottle

          Re: karma

          > I what messed up universe do you live in where you think someone actually deserves a security exploit?

          In the same universe where potty-mouthed teenagers can throw a temper tantrum when their third party software is incompatible with the latest iteration of their OS.

          1. Anonymous Coward
            Anonymous Coward

            Re: karma

            1. I'm not a teenager by any stretch of the imagination.

            2. You've completely ignored the quite serious point of the original post and decided to embark on some trolling. Well done you, it even worked for a while.

            1. Fink-Nottle

              Re: karma

              1/. Then you should be old enough to exercise some judgement and self-control when posting on a family friendly website. Particularly if you want others to treat you seriously.

              2/. The 'serious' point you made was that you are running software under 10.9 which doesn't yet support 10.10?

              Serious point? Really? What does your 'serious' point have to do have do with the 10.10.3 release?

              The 10.9 to 10.10 upgrade happened nearly a year ago. The hardware requirements for OS X Yosemite were the same as those for OS X Mavericks, thus if your Mac can run 10.9 it will run 10.10. If your third party software was incompatible with 10.10 you have had a WHOLE YEAR to either contact the developer or find an alternative software package. Instead you chose to whinge about Apple.

              Idiot.

              1. Anonymous Coward
                Anonymous Coward

                Re: karma

                Family Friendly website? If the wording of the post was a problem, how come the moderator hasn't removed it or contacted me?

                My serious point has nothing whatsoever to do with the 10.10.3 release. It was specifically to do with the OS vendor's decision not to patch a serious security vulnerability in 10.9.x which is a fully supported version of the operating system, and as far as I know hasn't bothered telling its user base.

                I'm ignoring the remainder of your reply because its ridiculous, and the last bit is, well, trolling.

                Have a nice day.

  13. Slap

    Is this really good form

    Is it really good form shout from the rooftops about a recently patched vulnerability and then reveal exactly how you can exploit it, literally a day after a patch has been announced, but knowing full well there are thousands, if not millions, of systems that are still unpatched, where some are likely to remain unpatched due to essential legacy software?

    While I commend the security researchers for their work, I utterly damn them to hell for revealing the exact details of the exploit a mere day after the patch was released.

    While I, like you, are always interested in the exact methodology, it's not always a good thing to make it public. In this case especially considering that it was simply one person who discovered the exploit, and yet now the whole world now knows about it, and can now use it.

    While security through obscurity is generally an extremely bad idea, sometimes we need this obscurity thing to last a little longer.

  14. anothercynic Silver badge

    Since it's only Yosemite affected...

    ... How do you (El Reg) expect Apple to 'fix' unaffected versions of the OS?

    1. spatulasnout
      Alert

      Re: Since it's only Yosemite affected...

      Well, no?

      In the "trusecdev" article linked in the fourth paragraph, the discoverer of the vulnerability states that it works on all versions back to 10.7.x, and conceivably earlier but he didn't have a 10.6.x version to test with:

      https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

      He also states in his discussions with Apple, that: "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."

      And in the comment section of that article--despite one poster who erroneously believed Apple's patch applied to his older OS version--posters are confirming the exploit works on older OS versions, and that apple's latest patch indeed does not fix the problem on older versions.

  15. tempemeaty
    Facepalm

    Money strapped Apple...of course I understand...

    Substantial amount of changes. Yeah. I can't blame a struggling company like Apple for not going back to fix even the last version before. When money is tight you have to make sacrifices. I've seen the new low end iMac and can see their struggles have been showing...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019