Serious security flaw in OS X Yosemite 'Rootpipe'

Details are emerging about a serious vulnerability found by a Swedish hacker in Apple's OS X Yosemite, called "Rootpipe." A patch isn't likely to appear until January 2015.
Written by Violet Blue, Contributor

Details are finally emerging about a serious vulnerability in Apple's OS X Yosemite, called "Rootpipe" which allows root access by attackers.

The privilege escalation vulnerability was discovered by Swedish hacker Emil Kvarnhammar, who has been asked by Apple to withhold details until January 2015 -- since Apple likely wouldn't allow details until they have a fix, this is probably when users can expect a patch.

"Rootpipe is a privilege escalation from admin to root so switching to a non-admin account would clearly be a good thing," Kvarnhammar said.

He posted a video showing his initial findings.

When TrueSec's Kvarnhammar contacted Apple about the problem, he was initially met with silence, followed by Apple asking for more details -- after which Apple asked TrueSec not to disclose until next January.

Kvarnhammar said, "The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It's important that they have time to patch, and that the patch is available for some time."

Meanwhile, he reported the issue to US-CERT.

Kvarnhammar first found the exploit in previous versions of Apple's OS around mid-October.

The same day Kvarnhammar tweeted caution to give Apple time in pushing out a fix, somewhat coincidentally, Apple rolled out security updates for Mountain Lion, Mavericks, OS X Server versions 2, 3 and 4 (new version) and iTunes -- which added up to address a whopping 144 separate vulnerabilities. Some of the fixes were for vulnerabilities reported over a year ago.

"It all started when I was preparing for two security events, one in Stockholm and one in Malmö," explained Kvarnhammar. "I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few 'proof of concepts' online, but the latest I found affected the older 10.8.5 version of OS X."

I was a bit dejected but continued to investigate. There were a few small differences [in later releases] but the architecture was the same. With a few modifications I was able to use the vulnerability in the latest Mac OS X, version 10.10.

Kvarnhammar is reluctant to explain as to how the vuln got is name. When asked by TechWorld Sweden where Rootpipe's name came from he demurred, "I can't get into that too much; I'll get back to you when we can provide more information."

The answers may be in plain sight, however. Kvarnhammar said, "Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can't gain root access without entering the correct password. However, rootpipe circumvents this."

Don't use an admin account daily; turn on FileVault

Protecting yourself from Rootpipe means employing an admin account workaround, with FileVault on top for safety.

If you're worried about your company's IP, protecting files or contacts, you keep financial information on your Mac, or are in any way a public figure, you're better safe than sorry.

Needless to say, you should be using FileVault regardless -- if this vuln is what makes you turn it on, that's a good thing.

Rootpipe's access is through an admin account, which is of course what everyone has to have on a Mac -- and it's what most people use for daily computer use. To clog Rootpipe, create a secondary admin account, one that you won't use every day. Then, through the admin account, you'll want to remove admin permissions from the account you’ll be using daily.

ZDNet has reached out to Apple for comment and will update this article accordingly.

Editorial standards