Update your Mac: Apple fixes major flaw in OS X Yosemite, but won't patch Lion, Mountain Lion or MavericksA serious vulnerability present in every iteration of Apple's desktop operating system since OS X 10.7— one which allows any user process to gain root privileges— was disclosed to the public on Thursday following the release of OS X 10.10.3, which addresses the issue, and users are urged to update as older OS X versions will remain susceptible to attack.
The problem revolves around an unpublished OS X API used by system processes, like System Preferences, for privilege escalation. TrueSec's Emil Kvarnhammar discovered that any OS X user, whether or not their account possesses administrative rights, could gain root access by exploiting this API.
This presents a critical security threat for users of unpatched OS X versions. Users who unwittingly install malware containing exploit code could hand over complete control of their Mac to the attacker, no matter what other security precautions they may have taken.
As a result, OS X users are urged to upgrade to Yosemite version 10.10.3 as soon as possible. Apple will not patch versions older than 10.10, reportedly due to the complexity of the fix.
For users running OS X 10.10, 10.10.1, or 10.10.2, a patch for this bug is included in Security Update 2015-004.
Kvarnhammar first discovered the vulnerability in OS X Mavericks last October, and reported it to Apple immediately. The company asked Kvarnhammar to postpone public disclosure— which generally occurs within 90 days of discovery —"due to the amount of changes required in OS X," and a full fix was not implemented until this week.