Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New CIA 'Vault 7' leaks detail 'Achilles' and 'SeaPea' vulnerabilities for Snow Leopard, Lion

The latest WikiLeaks "Vault 7" data dump demonstrates a pair of exploits developed in 2011 for Apple's Snow Leopard and Lion operating systems, that still require root access to install.

The latest data purloined by WikiLeaks from the U.S. CIA's "Imperial" project actually shows workable exploits against older versions of Apple's Mac operating systems. The first detailed package, named "Achilles," was developed by the agency on July 15 2011 for use against Snow Leopard systems. It was created to be inserted into a legitimate disk image, and install at the same time as the legitimate application on the image.

The user will still need to authorize credentials for the package to install. Should the target have run any checksums against the disk image, they would fail. Additionally, if the original disk image had an associated user agreement, it would not pop up in the version with the trojan.

More information is available about the "SeaPea" launcher, even though the leaked document is apparently the original draft. Where "Imperial" was a vector to install an undefined payload, "SeaPea" works on Snow Leopard or Lion, and contains executable hiding features, as well as a way to reduce its footprint to traffic monitoring applications.

Based on the detail provided by the leaked document, dated July 8, 2011, "SeaPea" is a much more mature tool. However, rather than hiding in an executable, "SeaPea" appears to require installers to have physical access to the computer itself, or the ability to remotely execute a Python script plus root access.

Mac OS X 10.6 Snow Leopard was released on August 28, 2009, and last updated on July 25, 2011 — about the same time as the "Achilles" data was updated.

Puzzlingly, Mac OS X 10.7 Lion was released on July 20, 2011, after the "SeaPea" document was crafted. The last update for Lion was made on October 4, 2012.

Thursday's leak does not contain any record of successful exploits undertaken with the tool, but the targeting necessary, or physical access to a device required limit wide-scale use of the exploits.

On March 7, 8,761 files were released by WikiLeaks alleging that the U.S. Central Intelligence Agency has a dedicated iOS, Windows, and Android exploit team, and failed to keep the attack vectors under lock and key. Later on Tuesday, Apple noted that "many" of the attacks had already been dealt with in the course of updating iOS.

A closer look at the Apple exploits following initial release showed a great deal of effort put into attacking Apple gear, but found what had been disclosed at that point to be rudimentary, non-functional, or proof-of-concept only. The releases on Thursday are the first evidence that the CIA had functional tools to use against Apple hardware owners.



13 Comments

sflocal 16 Years · 6138 comments

Snow Leopard and Lion?  So how many users does that include?  Two?

I'm sure there are countless of folks, both government and individuals attempting to get into MacOS as easily as Windows.  Keep at it.  I'll trust Apple to keep my system more secure than Windows.

tipoo 14 Years · 1122 comments

Interesting. Question is, if Apple will follow what Microsoft did patching XP, with much more recent OSs like Snow Leopard which stopped getting other security patches a while back. 

Soli 9 Years · 9981 comments

sflocal said:
Snow Leopard and Lion?  So how many users does that include?  Two?

I'm sure there are countless of folks, both government and individuals attempting to get into MacOS as easily as Windows.  Keep at it.  I'll trust Apple to keep my system more secure than Windows.

Considering it was released in 2011 and Lion was replaced until 2012, I'd say that makes the information relevant. The assumption that because you don't run Lion today that it means it wasn't an issue when you did, or that there aren't other exploits in use today that we'll find out years from now means you're missing the point.

rob53 13 Years · 3312 comments

"still require root access to install." In other words, it's not really a vulnerability, it's simply a malware program that could be required through a phishing attack. I don't see this as being a big deal until I see the way this package was intended to be delivered. It doesn't matter what OS version it was written for, all that matters is how the CIA intended on getting root access to the Mac. We've had to deal with this type of malware being delivered by Norton, Adobe, Microsoft and many others using "official" install packages.

king editor the grate 15 Years · 662 comments

I still use 10.6 on 2006 iMac and 2009 MacBook Pro. "Mac OS X 10.6 Snow Leopard was released on August 28, 2009, and last updated on July 25, 2011 —about the same time as the "Achilles" data was updated." I think there were one or two updates since then, one to add App Store, and another a few years ago to address some critical flaw.