Rootpipe, a “privilege escalation” vulnerability Apple patched in OS X 10.10.3, turns out to have a wider target area than original thought.
A “privilege escalation” vulnerability means that if someone already has malicious code on your Mac, they can use something like Rootpipe to gain deeper access. Think of it like this — if a criminal has already broken into your house, they can use a pipe to break open a locked cupboard. While the analogy starts to break down at this point, Apple thought they made the cupboard pipe-proof in OS X 10.10.3 but, after analyzing the new locks, a security specialist found another angle to attack it from.
In simple terms, Rootpipe works by using code from the System Preferences panes, which have to operate at an access level beyond other processes, to get deeper access to the processes that run on your Mac. Apple used technology involving remote view controllers, a relatively new addition to OS X, to better secure those processes. (Which also meant the patch couldn’t be back ported to older versions of OS X — they lack the remote view architecture.) After Apple tested and delivered the fix, an additional attack surface was discovered, and Rootpipe got a second lease on life.
In a perfect world the additional attack surface would have been discovered during the initial patching process. It apparently wasn’t, but has been now, so Apple’s going to have to go through the patching process again.
In the meantime, should any of us be afraid? No. As usual, we should be informed so we know what Rootpipe is, but also so we understand the odds of any of us being affected by it in the real world. Like I wrote last time:
The catch is, the Rootpipe exploit has to be executed on your Mac using an account with administrator (admin) privileges. An admin account is common enough — many people only have a single account on their Mac and do run as admin. Being able to execute the exploit is more challenging — an attacker would either have to have physical access to your Mac, or have previously gained remote access through some other method, such as malicious user-installed software, or a remotely exploitable vulnerability. And, with or without Rootpipe, if an attacker has gained remote access to your Mac, you already have problems.
Apple has been introducing new security features like Sandboxing, Gatekeeper, anti-phishing, anti-malware, and more in recent years, including the Mac App Store. That makes getting malicious code onto the Mac harder than ever. How many people actually download and install untrusted software at this point is hard to say, but if you’re one of them, this is definitely something you should pay attention to.
Yes, Apple has to patch Rootpipe again, and I assume the company is already working to do just that, and preventing privilege escalation attacks is tremendously important. The best defense for everyone, however, remains doing everything we can, all of us, from platform maker to end user, to prevent malicious software from getting on our machines to begin with.
Be empowered, not afraid.
Nick Arnott contributed to this article.