Unpatched 0-day threatens Apple Mac users

OS X flaw is exposed by teenage Italian security researcher without warning Apple - reigniting the debate about 'irresponsible' bug disclosure.

Apple OS X
Apple OS X

A new zero-day flaw that could give hackers root access to Apple Macs has been discovered by 18-year-old Italian security researcher Luca Todesco.

But Todesco has run into heavy criticism for revealing the bug on GitHub last Sunday without giving Apple time to patch it. Others in the industry have leapt to his defence, blaming Apple in turn for failing to offer vulnerability researchers bug bounty rewards.

Todesco says that the privilege escalation flaw is a threat to Mac users running OS X Yosemite and Mavericks versions 10.10 and 10.9, but not the latest El Capitan version 10.11 which is in beta test.

The bug in Apple's IOKitLib interface code allows hackers to exploits a flaw in the way OS X manages NULL pointers in programs to inject their own malicious code.

Symantec has independently analysed Todesco's proof-of-concept and confirmed the bug exists, saying in a 17 August blog: “The exploit uses two different vulnerabilities to create a memory corruption in the OS X kernel. This is then used to bypass security features that block exploit code from running, providing the attacker with root access.”

Symantec points out that the flaws “require the victim to voluntarily run an application to exploit it” but warns “they represent a threat until a patch is published by Apple”.

In a 17 August blog, UK security expert Graham Cluley agrees: “Fortunately, the attack does depend upon unsuspecting users downloading and agreeing to execute malicious code on their computer — although, as we all know, malicious hackers are experts at using social engineering and compelling lures to trick the unwary into making unwise decisions.”

Apple has not yet commented on Todesco's discovery, which comes just days after it patched another root access privilege escalation vulnerability, CVE-2015-3760, in its DYLD_PRINT_TO_FILE software.

In his Twitter feed, Todesco reveals the abuse his has received for not giving Apple time to fix the latest flaw, saying: “This is kinda getting out of proportion. Best outcome for me would have simply been to stay quiet. I had reasons to drop (publish) it the other day.”

To help users, Todesco initially offered kernel extension software called NULLGuard which mitigates the flaw, then recommended the SUIDGuard extension produced by security researcher Stefan Esser.

Meanwhile Symantec advises: “Until a patch for the vulnerability is issued, affected Mac users are advised to exercise caution and only download and install new software from trusted sources. Users are advised to apply any security updates to OS X as soon as they become available.”

Todesco defended his action in revealing the exploit to the general public as being no different to using code on jailbroken devices.

Esser has also backed him, saying the criticism “shows how hostile the world is to vulnerability reporters”.

Graham Cluley has also criticised Apple's attitude to researchers like Todesco.

“Apple might get more assistance from independent vulnerability researchers if it were to offer a financial reward for the responsible disclosure of bugs, rather than take its current — somewhat aloof — approach,” he said.

“Apple, please get the bugs fixed. Then sort out your relationship with the vulnerability researchers.”

Elsewhere in the industry, opinions remain divided.

In comments emailed to SCMagazineUK.com, Lancope VP of threat intelligence Gavin Reid backed bug bounty rewards.

“Doesn't matter if we like it or not,” he said, “vulnerabilities have a price tag now. It would be great if everyone took the higher road of responsible disclosure.  However with options like selling to the highest bidder or trading the disclosure for fame and notoriety, often what is in the public's best interest is lost.

“Companies have fought back on this problem with bug bounties, or other programmes designed to give the finder recognition and another path than selling out.”

But Amichai Shulman, CTO of Imperva, told SCMagazineUK.com via email: “The issue here is not about right or wrong, about whether the researcher should have acted differently or whether a company has a bug bounty programme or not – there have been zero-day disclosures even with companies who do have these programmes in place.

“This latest release is just a reminder that we do not control vulnerabilities or attacks and need to build our security solutions with two principles in mind: don't rely on constantly fixing the vulnerabilities in our code, use an overlay security solution that quickly identifies an attempt to exploit newly published vulnerabilities (aka virtual patching). And detect an attack rather than a tool - for example, focus on how information is being accessed in your database rather than how an endpoint can be compromised.”

Brian Ford, senior solution architect at Lancope, told SCMagazineUK.com: “Luca's actions are like the young man who throws a rock that breaks the front glass window and allows others to pry open the front door at a shop in the dark of night allowing others to loot and steal.  His justification seems to be that he really didn't do anything that was too wrong.  He doesn't seem to appreciate that he could be facilitating other more serious crimes.”