Developer reveals Mac security hole without telling Apple

Typically, coders and researchers who discover security vulnerabilities in software will tell the companies involved before posting their findings -- it's a courtesy to make sure that those holes are patched before attackers can use them. Don't tell that to developer Luca Todesco, though. He recently posted details of an OS X exploit, "tpwn," that lets intruders get root-level access to your Mac (even if it's running the recent 10.10.5 update) without even telling Apple, let alone waiting for a patch. It's now a race between the Cupertino crew and malware writers to make use of the discovery.

We've reached out to Apple to find out what it's doing in response to the flaw, and we'll let you know if it has something to share. However, Todesco isn't about to have a change of heart. He contends that an unofficial solution will protect you if you're not willing to wait, and that this isn't any different than publishing details of an iOS jailbreak (which takes advantage of security flaws to let you install unofficial software). Those are technically true, but they downplay the practical dangers of publishing this info. Many people aren't knowledgeable enough to try third-party safeguards or deal with the possible side effects, and jailbreaks are at least intended for semi-innocuous purposes. A 'surprise' exploit for the Mac only really serves to give attackers time that they wouldn't otherwise have.

Update: We understand that the exploit should be fixed as of OS X El Capitan, and that Apple is in touch with Todesco. Also, this attack typically requires some user intervention, so you can reduce the chances of an attack by downloading from and visiting only those sites you trust.