Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Update your Mac: Apple fixes major flaw in OS X Yosemite, but won't patch Lion, Mountain Lion or Mavericks

A serious vulnerability present in every iteration of Apple's desktop operating system since OS X 10.7 —  one which allows any user process to gain root privileges —  was disclosed to the public on Thursday following the release of OS X 10.10.3, which addresses the issue, and users are urged to update as older OS X versions will remain susceptible to attack.

The problem revolves around an unpublished OS X API used by system processes, like System Preferences, for privilege escalation. TrueSec's Emil Kvarnhammar discovered that any OS X user, whether or not their account possesses administrative rights, could gain root access by exploiting this API.

This presents a critical security threat for users of unpatched OS X versions. Users who unwittingly install malware containing exploit code could hand over complete control of their Mac to the attacker, no matter what other security precautions they may have taken.

As a result, OS X users are urged to upgrade to Yosemite version 10.10.3 as soon as possible. Apple will not patch versions older than 10.10, reportedly due to the complexity of the fix.

For users running OS X 10.10, 10.10.1, or 10.10.2, a patch for this bug is included in Security Update 2015-004.

Kvarnhammar first discovered the vulnerability in OS X Mavericks last October, and reported it to Apple immediately. The company asked Kvarnhammar to postpone public disclosure —  which generally occurs within 90 days of discovery — "due to the amount of changes required in OS X," and a full fix was not implemented until this week.



102 Comments

desuserign 1316 comments · 17 Years

[quote name="AppleInsider" url="/t/185686/update-your-mac-apple-fixes-major-flaw-in-os-x-yosemite-but-wont-patch-lion-mountain-lion-or-mavericks#post_2706898"] As a result, OS X users are urged to upgrade to Yosemite version 10.10.3 as soon as possible. Apple will not patch versions older than 10.10, reportedly due to the complexity of the fix. [/quote] I certainly hope they reconsider their position on this.

SpamSandwich 32917 comments · 19 Years

There's just no way I'll upgrade to Yosemite at this point. The bashing of Photos alone has convinced me to wait longer, however many other issues have more than convinced me that Yosemite isn't for me yet.

SpamSandwich 32917 comments · 19 Years

Quote:
Originally Posted by DESuserIGN I certainly hope they reconsider their position on this.


Also, where's the source for definitive evidence that this vulnerability will not be addressed by Apple?

bobjohnson 154 comments · 10 Years

Quote:
Originally Posted by SpamSandwich 
 


Also, where's the source for definitive evidence that this vulnerability will not be addressed by Apple?

 

Quoted from TrueSec: "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."

SpamSandwich 32917 comments · 19 Years

Quote:
Originally Posted by BobJohnson 
 

 

Quoted from TrueSec: "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."


And has anyone independently verified this?