The IT Nerd

So if you were holding off upgrading to Yosemite, you may no longer have a choice if you value the security of your Mac. Since OS X 10.7, there has been a flaw in an unpublished OS X API (application programming interface) used by OS X system processes to raise the level of the account to root level. Meaning that an evil doer could leverage this API to pretty much “pwn” your Mac. TrueSec’s Emil Kvarnhammar discovered this flaw and reported it to Apple immediately. The company asked Kvarnhammar to postpone public disclosure “due to the amount of changes required in OS X.” A fix came out when OS X 10.10.3 shipped yesterday. As an aside, I will have a report on OS X 10.10.3 along with the new Photos app amongst other items this weekend. Now the fact that this is fixed in the latest version of Yosemite is great if you’re running Apple’s latest and greatest OS. But if you’re not, you don’t get this fix. Thus you still have this flaw and it’s only a matter of time until someone finds a way to exploit this.

Apple seriously needs to reconsider this. While I understand that this is a complex fix, forcing users to update to the latest OS…. If they can as not all Macs are capable of running Yosemite….. to protect themselves is just wrong. Surely the security of Apple’s users is worth taking a run at properly fixing this for more than just those who run Yosemite?

This entry was posted on April 9, 2015 at 8:12 pm and is filed under Commentary with tags Apple, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.