OS X 10.10.3 should have solved, among others, an extremely dangerous vulnerability called RootPipe, allowing hackers to gain administrator access to users' Macs and control them without any subsequent authentication, but local access to the Mac is required for the entire operation.
Although OS X 10.10.3 was supposed to solve the problem, a former employee of the NSA demonstrates in the video above that it remains active in the operating system of those from Apple Lossless Audio CODEC (ALAC),, everything what we see there being confirmed by a computer security researcher, so there are no doubts about the existence of the problem.
On my flight back from presenting at Infiltrate (amazing conference btw), I found a novel, yet trivial way for any local user to re-abuse rootpipe – even on a fully patched OS X 10.10.3 system. In the spirit of responsible disclosure, (at this time), I won't be providing the technical details of the attack (besides of course to Apple). However, I felt that in the meantime, OS X users should be aware of the risk.
The former employee of the NSA claims that he uses a method to evade the solution made by Apple for the existing vulnerability in OS X 10.10.3, a researcher in computer security stating on the day of the release of the update for OS X that the change made by the Apple company can be evaded in various ways.
The former employee of the NSA claims that he was close to demonstrating the vulnerability in an Apple Store of the Apple company, but instead he sent all the details regarding this security problem to the American company, so probably in OS X 10.10.4 it will be solved definitively by the Americans.
Considering that today I found out about a very serious vulnerability existing in over 1500 applications available in the App Store, the information regarding RootPipe certainly does not put the Apple company in a good light, although in the case of the applications the fault is not with those from Cupertino, but with the developers.
