Posted on 03/27/2016 12:18:07 AM PDT by Swordmaker
A zero-day exploit affecting Mac OS X allows attackers to execute arbitrary code on any binary. That’s not good, and it gets worse. The exploit bypasses System Identity Protection (SIP, sometimes called rootless), and is almost impossible to trace once implemented. Apple has been notified and a patch is on the way.
“Our researchers recently uncovered a major flaw which allows for local privilege escalation and bypass of System Integrity Protection, Apple’s newest protection feature,” wrote SentinelOne in a blog post announcing the discovery. A talk given by Pedro Vilaça at SyScan360, a security conference in downtown Singapore this week, outlined the exploit in detail.
The exploit is unique in that it doesn’t use memory corruption, an common attacker exploit. Instead, the attack exploits a longstanding vulnerability in OS X’s security schemes to gain near-total control over any Mac.
The even crazier thing, however, is that this exploit not only bypasses System Identity Protection but can actively use it to ensure changes made to the system aren’t repaired, something Vilaça calls a SIP “protection racket”.
SIP was introduced with OS X 10.11, El Capitan. It prevents users from changing core system files entirely, even if they enter a root password (hence the nickname “rootless”: there effectively is not a root user). Bypassing SIP and making changes means users cannot undo the changes without first disabling SIP.
Even worse, this exploit is hard to detect using traditional methods.
It all sounds awful, but happily there is no evidence of this exploit being used in the wild, and SentinelOne has informed Apple of the problems. Patches will be out soon.
Vilaça, for what it’s worth, is not blaming Apple.
“Designing security systems is hard,” Vilaça’s slides say at the end of the talk. “Move to defense and give it a try.”
You can read the presentation slides here. It’s a good overview, though a lot of the details seem to be mentioned on-stage and are not on the slides. Here’s hoping a longform version will come out soon.
Pinging dayglored and Shadow Ace for their attention to a Zero Day vulnerability that could be very dangerous in Apple OS X.11.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
Got any tips on how to break ransom-ware?
welcome to the Windows world. Now that OSX is popular enough to get attack we realize it’s far weaker than window 10.
Which one? If it's one that works in Safari, force quit Safari, hold down shift while restarting Safari to prevent opening previous session tabs or windows, once open, clear history, cookies, and caches. Done.
If it is the one you get from the Torrent downloaded? With that one it was discovered the encryption key is in a library where it can be located. Boot from another drive or over the network, examine the user library for an unrecognized application support library and its in there.
Thanks!
No, it's still stronger. The security by obscurity canard has been shot down multiple times for years. OS X is not obscure. . . and every computer in the world is as close as next door on the web.
Attacking a Mac is completely different than attacking a Windows PC. Yes, a Mac can be hacked one at a time, but unlike Windows PCs, there are no vectors for wholesale multiple attacks to easily work.
Windows user brags about security...
My sides!!
Rift it’s no longer obscure and look what happens.
Give me a vector they works on all windows 10 PCS.
I know right! OSX is that bad!!
You completely missed my point, but thanks for responding!!
Yea, get an external drive, copy all your stuff to it and don’t keep anything important on the machines drive. That’s what I do anyway. I have a Macbook Pro with a 2tb plug in drive, like a vault with all my valuable stuff that nobody can get to or hold for ransom. It’s one solution, I’m sure there’s others.
welcome to the Windows world. Now that OSX is popular enough to get attack we realize it’s far weaker than window 10.
***********
That was my contention a while back... swordmaker claimed otherwise.
Keep up-to-date backups you can restore from if you get hit. Most importantly, don't open any email attachments from anyone you don't know, and if you do know the sender, call to confirm what they sent you.
“welcome to the Windows world. Now that OSX is popular enough to get attack we realize it’s far weaker than window 10.”
Not at all. Apple’s security team didn’t catch a particular vulnerability before releasing - that happens. It was part of a new feature that will greatly improve system security once correct, and one for which Windows has no equivalent.
In general, BSD (of which MacOS is a variant) is considered to be one of the most secure OS.
As for Windows 10, here’s how the initial release went:
“Microsoft patches Windows 10, Edge, 4 critical holes, 2 exploits in the wild”
Windows 10 is far from a security paragon.
Can one who has physical possession of a Mac not still bypass security anyway, if you have an install disc/drive to boot from?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.