Apple releases OS X El Capitan, patches passcode loophole in iOS

Yesterday Apple released OS X 10.11 El Capitan to end users. With it, the company concentrated more on performance and security instead on new features.

Among the security improvements is System Integrity Protection (SIP), a new security feature that is enabled by default (but can be disabled).

“SIP protects system processes files and folders from being modified or tampered with, even from a user with root (administrative access). It does this by setting limitations to all processes on the system,” Stephen Coty, Chief Security Evangelist at Alert Logic, explains. “Files folders and processes will also be protected by the addition of an extended file attribute. Protect environments include /usr /system /sbin and /bin which is where most application and users files are located. This will prevent code injection into a system by stopping all processes without specific privileges from writing to the flagged files and folders.”

“This is a brilliant way to limit the exposure that an attacker can utilise for a intrusion in the Macintosh Operating system. Malicious code installed to establish communications and build out the tools set will now have challenges when trying to install additional tools such as worms and remote access Trojans,” he noted.

“This will also limit what most users are capable of doing on their own systems. There are very technical users who need access to these regions of the system and require that access. For that advanced user, we find in everything there are workarounds and ways for the user to regain that control of their system. They did not make it easy, but it is tedious and possible. For the average user, which would also fall for most phishing campaigns, this is a great thing for securing your environment and limiting the actions of a malicious actor on an infected workstation. This forces malicious actors to have to go back to the drawing and rework their intrusion points.”

For a detailed, technical overview of how it works, check out Ars Technica’s exhaustive review of El Capitan (the section on SIP starts on page 8).

SIP protects system processes files and folders from being modified or tampered with, even from a user with root (administrative access). It does this by setting limitations to all processes on the system. Files folders and processes will also be protected by the addition of an extended file attribute.

Protect environments include /usr /system /sbin and /bin which is where most application and users files are located. This will prevent code injection into a system by stopping all processes without specific privileges from writing to the flagged files and folders. This is a brilliant way to limit the exposure that an attacker can utilize for a intrusion in the Macintosh Operating system. Malicious code installed to establish communications and build out the tools set will now have challenges when trying to install additional tools such as worms and remote access Trojans.

This will also limit what most users are capable of doing on their own systems. There are very technical users who need access to these regions of the system and require that access. For that advanced user, we find in everything there are workarounds and ways for the user to regain that control of their system. They did not make it easy, but it is possible. For the average user, which would also fall for most phishing campaigns, this is a great thing for securing your environment and limiting the actions of a malicious actor on an infected workstation. This forces malicious actors to rework their intrusion points.

System Integrity Protection is a great move by Apple to further secure their operating system. System Integrity Protection is enabled by default.

El Capitan also addressed over 100 security vulnerabilities, including:

• 19 vulnerabilities in PHP (one a remote code execution flaw)
• An Apple Online Store Kit flaw that could allow a malicious application to gain access to a user’s keychain items
• A CFNetwork HTTPProtocol flaw that allowed a malicious website to track users in Safari private browsing mode
• A flaw in EFI that could lead to a malicious Apple Ethernet Thunderbolt adapter affecting firmware flashing
• A bucketload of kernel vulnerabilities, and more.

“The release of Mac OS X El Capitan today is a welcome update to Apple’s desktop operating system. As a free update, we expect adoption to be swift. However, we are aware that many will charge into the update without considering the implications for their non-Apple software and services, as well as compatibility with users running older versions,” noted Sergio Galindo, General Manager of GFI Software.

“Users and companies need to be mindful that a new version of MacOS will bring with it issues of application compatibility. There is no guarantee that existing apps will work, and it is unlikely that everyone has readied updates to correct El Capitan issues. Automated patch management will help significantly with rounding up patches and updates, so that when companies do migrate, it is as smooth a process as possible.”

“Testing before deploying is paramount, and being a later adopter is the safest bet. Users need to be told clearly why they should not self-initiate the update, and moreover, why they should not upgrade to new iCloud services,” he warned. “The latest iteration of iCloud services require El Capitan and IOS 9 to be installed on all the user’s devices. This causes issues in environments where legacy machines are used and where others have not upgraded at the same time.”

OS X El Capitan 10.11 includes the security content of Safari 9, but for those who, for the time being, choose not to upgrade to it there is a standalone update for the popular browser, which fixes many critical flaws, mostly in WebKit.

A security update for iOS has also been released, and fixes one flaw: the passcode loophole that allowed a person with physical access to an iOS device to access photos and contacts from the lock screen.