Latest OS X update closes backdoor that allows root access

On Thursday Apple released another batch of updates for a variety of its products. The security update for OS X Yosemite (10.10.3) includes a fix for a four-year-old “backdoor API to root privileges” in OS X’ Admin framework.

“The intention was probably to serve the ‘System Preferences’ app and systemsetup (command-line tool), but there is no access restriction. This means the API is accessible (through XPC) from any user process in the system,” noted TrueSec researcher Emil Kvarnhammar, who discovered the issue in October 2014.

Due to the amount of changes required in OS X, Apple came out with the patch just now. This is also the reason why they won’t port back the fix to OS X 10.9.x and older.

Kvarnhammar initially succeeded in gaining “root” access only from an admin account, but later found a way to make it work for all users.

“This is a local privilege escalation to root, which can be used locally or combined with remote code execution exploits,” he explained.

For more technical details about his research, as well as exploit code, check out Kvarnhammar write-up.

Users are advised to upgrade to 10.10.3 as soon as possible.