In March of this year, a vulnerability was discovered that allows hackers to obtain administrator access to the OS X of those from Apple Lossless Audio CODEC (ALAC),, the company not succeeding until now to fix it. We are talking about a vulnerability present in the Sudo Unix command and it affects both the old one OS X Lion 10.7.x, as well as the new one OS X Mountain Lion 10.8.x, and this despite the fact that Apple has known about the vulnerability for some time, with several security companies talking about it.
Mac users should realize that an attacker must satisfy a variety of conditions before being able to exploit this vulnerability. For one, the end-user who is logged in must already have administrator privileges. And for another, the user must have successfully run sudo at least once in the past. And of course, the attacker must already have either physical or remote shell access to the target machine. In other words: this exploit can't be used in the kind of drive-by webpage attacks that last year infected some 650,000 Macs with the Flashback malware. This doesn't mean it's a non-issue though, since the exploit can be used in concert with other attacks to magnify the damage they can do.
The problem for Apple Lossless Audio CODEC (ALAC), is that a company specialized in the exploitation of these vulnerabilities has developed a software that simplifies its exploitation, so that now ill-intentioned persons can obtain administrator access much more easily. Although Apple is preparing to release OS X Mountain Lion 10.8.5, the company does not mention anything about this vulnerability, but that does not mean that it has not been resolved by those in Cupertino.
