Latest in Apple

Image credit:

OS X flaw leaves Macs vulnerable to attacks, no password required

138 Shares
Share
Tweet
Share
Save

Sponsored Links

The latest version of OS X contains a serious flaw that hackers can use to attack your computer without ever needing your password. The issue is around a hidden document -- Sudoers -- which is effectively a list of permissions as to which pieces of software are allowed to mess around with your computer. Unfortunately, a change to how Yosemite stores the list means that it's now possible to add malware to the register. As such, if you inadvertently run an offending script, hackers can take advantage of your computer's unwitting hospitality to install crapware like VSearch and MacKeeper.

The vulnerability was discovered by old-school iOS jailbreaker Stefan Esser who, according to MalwareBytes, is accused of publicly revealing the flaw before telling Apple. That's a big faux pas in the security community, with Google going toe-to-toe with Microsoft about revealing as-yet un-patched flaws that have a real risk of harming users.

Esser has offered-up his own kernel extension that could protect your machine against such attacks, which can be downloaded here. As Ars Technica says, however, installing a patch that didn't come from the original developer can be a risky business and you should do so only if you know what you're doing. Naturally, we've reached out to Apple in the hope of getting some official comment on when a patch will be released, but the company had yet to respond at the time of publication.

Update: As you can see in the tweet below, Stefan Esser now believes that the particular hole has been closed in the beta version of OS X 10.10.5. In addition, people familiar with the matter have told us that the company is being proactive behind-the-scenes to ensure that its customers are protected.

Source: MalwareBytes, GitHub
In this article: apple, Flaw, Malware, OSX, Security
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
138 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
iFixit's iPhone 11 Pro Max teardown investigates charging rumors

iFixit's iPhone 11 Pro Max teardown investigates charging rumors

View
TiVo wants to make a comeback with $50 Android TV dongle

TiVo wants to make a comeback with $50 Android TV dongle

View
Neo Geo retro stick console includes 'King of Fighters,' 'Samurai Shodown'

Neo Geo retro stick console includes 'King of Fighters,' 'Samurai Shodown'

View
Watch the 'Android' Nokia phone that never had a chance to exist

Watch the 'Android' Nokia phone that never had a chance to exist

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr