Thursday, April 9, 2015 [Tweets] [Favorites]

Yosemite-Only Security Fixes

Emil Kvarnhammar:

The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system.

The intention was probably to serve the “System Preferences” app and systemsetup (command-line tool), but any user process can use the same functionality.

Apple has now released OS X 10.10.3 where the issue is resolved. OS X 10.9.x and older remain vulnerable, since Apple decided not to patch these versions. We recommend that all users upgrade to 10.10.3.

This sounds like a serious bug that Apple should fix for previous OS versions as well. Not everyone can update to Yosemite, and some don’t want to yet because of bugs. Mavericks was the current OS version less than six months ago. It’s too early to abandon it.

4 Comments

"Mavericks was the current OS version less than six months ago. It’s too early to abandon it."

As Gruber would say, finally!

We've been moving towards this point for a looooong time. Now we've actually hit the reductio ad absurdum phase of diminished backwards support from Cupertino.

Hey, you can't even downgrade an iOS device. Why should Macs have support for anything but the current OS? Back to the Mac!

This sounds like a serious bug that Apple should fix for previous OS versions as well. Not everyone can update to Yosemite, and some don’t want to yet because of bugs. Mavericks was the current OS version less than six months ago. It’s too early to abandon it.

Agreed, but from the timeline at the bottom of the article:

Jan 12th 2015: Joint decision between Apple and TrueSec to postpone disclosure due to the amount of changes required in OS X

It sounds like this could have been quite a complex and far-reaching fix that could make it impractical (or extremely difficult) to backport safely.

While I also believe Apple's stance on security to be damaging and absurd, it is at least clear: now that OS X updates are free, there is officially no reason at all not to upgrade. Ergo, there is no need whatsoever to support old versions of OS X since nobody in their right mind would be running them.

It's all baloney, of course, but it is Apple's perspective. If OS X were still paid for, I am willing to bet they would keep supporting older versions, if only because they are required to support the products they *sell* for a given amount of time. OS X is no longer sold, so they are under no compulsion to keep it in working condition.

This is the age-old computing paradox: Microsoft offers a much safer OS in the long run because they plug their many holes (and are the focus of the security industry), while Apple offers a much safer OS in the short run by having marginally sounder code — but then they fail to do anything with it.

Pour out a 40oz for folks like Pierre Igot. Guy buys a top of the line Mac Pro, finds Yosemite causes hellish problems for months, and finally gets a partial fix in 10.10.3.

Now, normally, I'd just say, hey, Pierre (and folks like him), why did you go with Yosemite if it didn't work on your machine? He's not a dev. He's doesn't need to stay current with the latest release.

But now with Apple abandoning 6 month old hardware on a security basis, folks like him do need to stay current, even if staying current breaks their machine.

Mission Accomplished, Cupertino!

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment