Latest in Apple

Image credit:

OS X flaw leaves Macs vulnerable to attacks, no password required

138 Shares
Share
Tweet
Share
Save

Sponsored Links

The latest version of OS X contains a serious flaw that hackers can use to attack your computer without ever needing your password. The issue is around a hidden document -- Sudoers -- which is effectively a list of permissions as to which pieces of software are allowed to mess around with your computer. Unfortunately, a change to how Yosemite stores the list means that it's now possible to add malware to the register. As such, if you inadvertently run an offending script, hackers can take advantage of your computer's unwitting hospitality to install crapware like VSearch and MacKeeper.

The vulnerability was discovered by old-school iOS jailbreaker Stefan Esser who, according to MalwareBytes, is accused of publicly revealing the flaw before telling Apple. That's a big faux pas in the security community, with Google going toe-to-toe with Microsoft about revealing as-yet un-patched flaws that have a real risk of harming users.

Esser has offered-up his own kernel extension that could protect your machine against such attacks, which can be downloaded here. As Ars Technica says, however, installing a patch that didn't come from the original developer can be a risky business and you should do so only if you know what you're doing. Naturally, we've reached out to Apple in the hope of getting some official comment on when a patch will be released, but the company had yet to respond at the time of publication.

Update: As you can see in the tweet below, Stefan Esser now believes that the particular hole has been closed in the beta version of OS X 10.10.5. In addition, people familiar with the matter have told us that the company is being proactive behind-the-scenes to ensure that its customers are protected.

Source: MalwareBytes, GitHub
In this article: apple, Flaw, Malware, OSX, Security
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
138 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Google Assistant gets new voice options in nine more languages

Google Assistant gets new voice options in nine more languages

View
HP's new ultrawide monitor can show two device's screens at once

HP's new ultrawide monitor can show two device's screens at once

View
HP Elite Dragonfly hands-on: A really light business notebook

HP Elite Dragonfly hands-on: A really light business notebook

View
Chinese retailers abruptly stop selling Juul e-cigarettes

Chinese retailers abruptly stop selling Juul e-cigarettes

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr