Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

How to protect OS X from the “rootpipe” vulnerability
Mac Issues ^ | November 4, 2014 | by Topher Kessler

Posted on 11/04/2014 7:32:21 PM PST by Swordmaker

A relatively long-standing vulnerability in OS X has been uncovered by a Swedish hacker, Emil Kvarnhammar, who has dubbed it “rootpipe” by the so-far undisclosed method in which it can be used to take control of your Mac. In this vulnerability, a flaw allows a hacker to gain administrative access of a system without supplying a password, and then be able to interact with your Mac as an administrator.

In an interview with MacWorld, Kvarnhammar describes this bug as having been present in OS X 10.8.5, but he was not able to replicate it in 10.9; however, Apple has shuffled around its code in OS X 10.10 so the bug again allows access.

In contacting Apple about the issue, Kvarnhammar did not get a response; however, Apple has agreed upon a date in January for full disclosure of the vulnerability’s details, suggesting Apple has indirectly acknowledged the issue and is developing a fix to be out by then.

In the mean time, this and other privilege-escalation vulnerabilities can be managed by taking two important security steps with your Mac:

Use a standard user account

When you set up your Mac, the first user account created will be an administrative one so you can fully configure your system; however, Apple leaves you with this as your main account, instead of requiring you create a separate user account with more limited privileges for daily use. By working in an admin account, you chance encountering vulnerabilities that could give access to your system under this account’s privilege level, and by limiting yourself to a standard account you can help stem such vulnerabilities.

The process for switching to a standard account for daily use is easy and painless:

  1. Open the Users & Groups system preferences and authenticate by clicking the lock.
  2. Create a new user account, and check the box to allow the user to administer the computer.
  3. Log out of your current account, and log into the new administrator account.
  4. Go back to the Users & Groups system preferences and again unlock them.
  5. Select your main user account and uncheck the option to allow the user to administer the computer.

Setting admin privileges in OS X


From within your new administrative account, uncheck this box for
your other user accounts to prevent them from running as admin.

When finished, you can log out and back into your main account, and be able to use it as if there is no difference. Now whenever you need to administer your system by installing programs or changing settings that require admin access, you will supply the username and password of your new admin account, instead of that for your current account. This is a trivial difference in function, but does allow your Mac to run with added security.

Use FileVault

In addition to running as a standard user, consider enabling FileVault on your Mac. This is another recommendation by Kvarnhammar for preventing the “rootpipe” vulnerability from being used. In general, it is also a good idea, especially for portable systems, to have the entire contents of the drive encrypted. This will prevent a system from being rebooted in alternative modes to bypass the operating system’s security features and access data on the drive. Without the encryption password, the data on your Mac’s drive will be completely inaccessible.

FileVault in OS X


Click this button in the Security & Privacy system preferences to enable FileVault.

FileVault can be enabled by authenticating in the Security & Privacy system preferences, and then clicking the “Turn On FileVault” feature in the FileVault tab. Follow the on-screen instructions for managing your encryption key and enabling specific user accounts for unlocking the drive, and after your drive encrypts (it may take a few hours) your Mac’s drive will be fully encrypted.


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: computer; mac; malware; osx
The way to avoid this "Rootpipe" vulnerability is the standard way every user should already be operating his computer for his own data safety and sanity. . . as a Standard User. If you are operating as an Admin, you are at risk of having a hacker gain access to your computer.
1 posted on 11/04/2014 7:32:21 PM PST by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: ~Kim4VRWC's~; 1234; Abundy; Action-America; acoulterfan; AFreeBird; Airwinger; Aliska; altair; ...
A "newly" reported vulnerability (actually it's an old vulnerability that has re-appeared in OS X.10 after being swatted since OS X.6) called "Rootpipe" that could possibly allow a malicious hacker to gain Administrator privileges without a password. The way to avoid this possibility is to run your Mac as a standard user. This article gives instructions on how to set that up for those of you who are not already doing that. — PING!


Apple Security Ping!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 11/04/2014 7:36:54 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Thanks, I’ll change it when I’m not so tired. I don’t want to change my admin name and pw but I guess I will have to.


3 posted on 11/04/2014 7:47:05 PM PST by Aliska
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Good advice, much of it general practice in IT where it can be done.


4 posted on 11/04/2014 8:25:21 PM PST by rlmorel (The Media's Principles: Conflict must exist. Doesn't exist? Create it. Exists? Exacerbate it.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Aliska
Thanks, I’ll change it when I’m not so tired. I don’t want to change my admin name and pw but I guess I will have to.

Make your admin password something easy to remember but hard to guess. Use a pass phrase with numbers and a symbol. Something like

15$Tw0m1dn1ght

5 posted on 11/04/2014 8:36:03 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker
15$Tw0m1dn1ght

Oh please lol. Not tonight. But you made me think of something. I'll just add stuff to my current one that will be mnenomic. Haven't seen that word for awhile.

6 posted on 11/04/2014 8:39:03 PM PST by Aliska
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker

Best way is to get Windows 10 when it arrives : )


7 posted on 11/04/2014 8:54:00 PM PST by minnesota_bound
[ Post Reply | Private Reply | To 1 | View Replies]

To: Aliska
Oh please lol. Not tonight. But you made me think of something. I'll just add stuff to m y current one that will be mnenomic. Haven't seen that word for awhile.

Good, glad I greased the creative skids. As long as you can remember it and not say "Oh, now what did I make that password????" you'll do OK. Just write it down somewhere safe, as well. it helps to make the Admin user name something unusual as well. Name it after that great Aunt who nobody knows you have. . . that you really don't have. You know, the one that won't leave you billions in her non-existtent will. LOL!

Also, those websites that want you to answer "security questions" such as "Where were you born?" and "What was your mother's maiden name?", there is no law in the world that says you have to answer them truthfully. That was how all those celebrities got their nude pictures stolen: they used truthful answers on their security questions which could be learned by someone researching their bios. All you have to do is remember HOW you answered them! For example, "Where were you born?" could be answered "heaven" or "in a cab" and "Your mother's maiden name?" could be answered "fred" or "1776" and no one will ever know, except you. Just don't forget what you answered. Again, write your answers down. The key is to enter them exactly the same way when they ask again. Make it a practice to always answer those in lower case letters, then you won't ask yourself whether it is capitalized or not.

8 posted on 11/04/2014 8:56:32 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Swordmaker

bump


9 posted on 11/04/2014 9:02:23 PM PST by CGASMIA68
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
My aunt is the one who left me fairly well off, God bless her soul. Or I wouldn't have this imac.

When I was setting up this computer, my son jumped in and started all that preliminary stuff, think he asked me what I wanted for a pw. Well, something came up I downloaded something and could not remember my user name or password and didn't know how to find it anywhere.

Anyway finally I remembered.

Yes, I have been using that trick about lying to the questions and it's almost as easy to remember them as when I gave real answers. I need to quit using my mom's maiden name because anybody could find it.

I'm going to knock it off for tonight. Thanks again for posting the article. It doesn't look too hard.

10 posted on 11/04/2014 9:09:15 PM PST by Aliska
[ Post Reply | Private Reply | To 8 | View Replies]

To: Aliska
I'm going to knock it off for tonight. Thanks again for posting the article. It doesn't look too hard.

It isn't hard. Just follow the instructions and then log back into your usual account. Have a good night, Aliska.

11 posted on 11/04/2014 9:14:43 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 10 | View Replies]

To: Swordmaker
Make your admin password something easy to remember but hard to guess. Use a pass phrase with numbers and a symbol. Something like
15$Tw0m1dn1ght

I used to use difficult passwords… until I couldn't access something and spent weeks trying to figure out my own password! Use non-alphanumeric characters sparingly, especially "?" at the end - I kept forgetting to use the "?" at the end of a password, thinking I was just questioning whether the password was correct in my notes. (I never jot down the full password, just key characters to jog my memory.) A couple decades ago at a Microsoft course (I was a Windows admin) at a Microsoft facility, the instructor advised using no fewer than 28 characters of mixed characters in a password, and unique passwords for each need! Screw that. You can make it difficult with far fewer characters than 28.

12 posted on 11/05/2014 12:34:37 AM PST by roadcat
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker

Could you please add me to the ping list? Thanks! I’ve switched over to all Apple stuff and it has seriously de-stressed my life. :-)


13 posted on 11/05/2014 3:02:06 AM PST by Marie Antoinette (:)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Swordmaker

Thanks!

Sword, are you using Safari or Firefox and why? Or other?


14 posted on 11/05/2014 5:38:16 AM PST by aMorePerfectUnion ( "I didn't leave the Central Oligarchy Party. It left me." - Ronaldus Maximus)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
Yes, please, for the love of all that is holy (or even that which is not), never run as a user that has more privileges than you need. I don't care what operating system you are on, your "everyday" account should never have admin privileges; use a separate admin account, even if it's a little extra hassle.

Your best passive defense against malware is always going to be running with the fewest privileges necessary.

15 posted on 11/05/2014 6:02:20 AM PST by kevkrom (I'm not an unreasonable man... well, actually, I am. But hear me out anyway.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
If you are operating as an Admin, you are at risk of having a hacker gain access to your computer
. . . and thanks to your http://www.freerepublic.com/focus/f-chat/2716314/posts?page=11#11 I stopped running as admin in May, 2011. Thanks, SM! :-)
I notice that the article promotes file vault. But apparently you don’t use it?

16 posted on 11/05/2014 6:27:37 AM PST by conservatism_IS_compassion ("Liberalism” is a conspiracy against the public by wire-service journalism.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

Bookmarked.


17 posted on 11/05/2014 6:31:46 AM PST by conservatism_IS_compassion ("Liberalism” is a conspiracy against the public by wire-service journalism.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: roadcat
A couple decades ago at a Microsoft course (I was a Windows admin) at a Microsoft facility, the instructor advised using no fewer than 28 characters of mixed characters in a password, and unique passwords for each need! Screw that. You can make it difficult with far fewer characters than 28.

I believe I am the one who is responsible for Microsoft not using 1s, Is, Lowercase Ls, Os, or 0s, in their serial numbers. Many years ago when Windows 95 just came out, I was trying to install both Windows 95 and then to install Microsoft Word on three new computersfor a client. The serial numbers that came with both software packages had numerous zeros, ones, lower case "Ls" and upper case "Os". . . and the font they had selected made determining what was what was impossible to tell the difference. I was extremely frustrated.

I called Microsoft Tech support and they tried to had to give me a new activation code for Windows, but I could not read the codes I had over the phone for them to validate. Finally, the guy on the phone had pity and went ahead and agreed we had indeed bought the product and gave us codes. After getting Windows installed and working, I then went on to the MS Word install and ran into the same damn thing. By this time I was really toasted. I called Microsoft Corporate headquarters and kept escalating my call until I was talking to someone with Senior VP in after his name, who said he worked right under Bill Gates. . . and explained the problem.

He got a fresh Windows 95 package and looked at it and said, "Good Grief! You know, you're right. I can't tell the difference either! We hadn't caught that! We've had an extraordinary number of people having trouble entering activation codes. You've figured out why!"

They had not tweaked to a simple issue. Within a month all new Microsoft products came out without those characters in their serial numbers or activation codes. I think they also dropped 5s and "Ss, anything that could be mistaken for another character, as well.

Did they pay me anything for my discovery? HAH! No way. But I know it was me. hehehehehehe.

18 posted on 11/05/2014 9:34:43 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 12 | View Replies]

To: aMorePerfectUnion
Sword, are you using Safari or Firefox and why? Or other?

I use Safari. I prefer it to Firefox. The font handling is Apple native and I prefer the interface. I keep both around because there are a few websites that are not ACID 3 compliant that for some reason Safari cannot handle which FireFox can.

One of the strangest is the website that handles garnishees for child support payments for the State of California. One of my employees at the office I manage has to pay child support payments through a garnishee of his wages. . . so I have to log on and pay the withheld amount electronically to the State Disbursement Unit of the State of California. However, when I try to log on in Safari, clicking the continue button just brings me back to the login screen. It works fine in Firefox.

The tech support page for the website claims to use the site one needs a "modern computer using either Windows with Internet Explorer, or an OS X Mac with Safari or Firefox. . . but they lie. I have attempted to lodge a complaint with the SDU web support, but their phone says complaints must be lodged with your county's Child Services Agency. . . and then disconnects. No email complaint form allowed. Calling the County Childrens' Service Agency results in them telling me I have to call the phone number on the web site for problems with the website. . . which tells me to call the County's . . . which tell me . . . you get the idea. I have complained to the Governor's office (you know, Governor Jerry "Moonbeam" Brown) every three months now for four years and have not gotten an answer. In California 30% of consumers who have to also use this website are Mac users. It is the ONLY state website that is not Mac compliant.

The one they had before some MSCE got his mitts on it looked like it was designed by an ex-kidnapper. Talk about RANSOM NOTE DESIGN. It did not align from top to bottom, had at least fifteen fonts, and action buttons were oddly named and randomly sprinkled all over the screen. You had to scroll around to find entry boxes, and action buttons were not related or located close to entries they were intended to effect. It was a mess. . . but it sort of worked. I had heard it was designed by a class of inmates at one of the prisons as a class project in HTML web design. LOL! The most you could say for it was it worked.

19 posted on 11/05/2014 9:52:21 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 14 | View Replies]

To: conservatism_IS_compassion
I notice that the article promotes file vault. But apparently you don’t use it?

I don't, but I have some encrypted individual file folders.

20 posted on 11/05/2014 9:54:26 PM PST by Swordmaker (This tag line is a Microsoft insult free zone... but if the insults to Mac users continue...)
[ Post Reply | Private Reply | To 16 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson