[NewsPoster]

Alongside bug fixes and other improvements, Apple has patched a longstanding security flaw which could give users with physical access to a machine root privileges, regardless of assigned permissions. The flaw, indexed as CVE-2015-1130, was reported to Apple in October of 2014, but Apple requested that it be not publicly disclosed until patched due to the "substantial amount of changes" required to fix.

The exploit takes advantage of a flaw in the Admin framework, and "was probably to serve the 'System Preferences' app and systemsetup (command-line tool)" but discoverer Emil Kvarnhammar of TrueSec notes that it can be used by any user process. The procedure for the attack, as well as the discovery process, is laid out in a detailed blog post about the matter published yesterday.

Kvarnhammar calls the exploit "a local privilege escalation to root, which can be used locally or combined with remote code execution exploits." The code still requires authentication to run, and it seems likely that default OS X application sandboxing settings would prevent a malicious app from executing, unless the user is persuaded by social engineering or unless distributed by an authenticated developer, or somehow used through an app on the Mac App Store. However, if the user has changed the default Mac security settings to allow any code to run, regardless of signing, this is more of an issue. Remote execution through a website is theoretically possible provided the user is tricked into authenticating it, but at first glance the exploit doesn't seem to be accomplished through Flash or Java.

The researcher notes, and recommends, that all users upgrade to the latest version of Yosemite, which positively fixes the flaw. Kvarnhammar claims that Apple informed him that prior versions of the OS won't be fixed due to the amount of work necessary to accomplish it. MacNN has inquired to Apple as to the veracity of the claim, and was told by a source who wished to remain anonymous that the patch for older OSes "is a low priority" since the risks of the exploit can be mitigated by physical security and "sanitary data acquisition procedures."

[drbroom]

But Yosemite sucks in every other way! and still has over 100 other security flaws that "older" MacOSes don't have... I keep Mavericks for now!

[Charles Martin]

You're entitled to your opinion, but its not backed up with facts. Our staff is almost entirely on Yosemite on our Macs, and while we can't say there have been no issues, we can say that we think overall this is the best version of OS X since Snow Leopard (which, for those with short memories, also had a large number of issues on launch).

However, the great thing is that Mavericks will continue to be fully supported for another couple of years -- so if you want to stick with it for a while yet, you certainly can. We thought very highly of it, as a refinement of what Apple accomplished with Mountain Lion. In my personal case, the new features included only in Yosemite, have proved to be a huge boon to both productivity and enjoyment of the machine, which is what won me over. Trust me on this as a previous Yosemite skeptic -- real-life interaction with it is far more satisfying than some screenshots of the refreshed look might lead you to believe.

[just a poster]

"Amount of work" is a Soviet excuse. California law requires a company to support its product for a minimum of 7 years, so I don't think patches won't be forthcoming.

Note to the editors: I used to keep track but nowadays can't follow the code names for Apple products any longer. Yosemite? Which one is that? Mavericks? Which one is that? How about using numbers of the OS instead: 10.9, 10.10, etc. It saves me a search.

[Mike Wuerthele]

Originally Posted by just a poster 

"Amount of work" is a Soviet excuse. California law requires a company to support its product for a minimum of 7 years, so I don't think patches won't be forthcoming.

Note to the editors: I used to keep track but nowadays can't follow the code names for Apple products any longer. Yosemite? Which one is that? Mavericks? Which one is that? How about using numbers of the OS instead: 10.9, 10.10, etc. It saves me a search.

The fix is keeping the security defaults the way they are, as the OS shipped, with full sandboxing. That fulfills California and Florida law.

We're still investigating.

[Flying Meat]

Yosemite is a free upgrade, so they are supporting their products. And a 7 year OS? That's so,.. Microsoft.

[Charles Martin]

just a poster: 10.6 is Snow Leopard, 10.7 is Lion, 10.8 is Mountain Lion, 10.9 is Mavericks, and 10.10 is Yosemite. We do spell out full names in articles, ie OS X 10.10 Yosemite, et al.

[just a poster]

Thanks, editors. I didn't intend to sound testy.

@Flying Meat - you may have a point, but it's a technicality.

I'm on Mavericks everywhere. Part of the reason I haven't gone Yosemite is because I no longer trust apple with my privacy rights.

[Flying Meat]

But aren't you therefore assuring the continued chance that someone else might ignore your privacy rights and gain full access to your machine's data remotely?

[just a poster]

@flying not so much. I guess I fear institutionalized spying more than a random hacker.

[Charles Martin]

just a poster: I didn't take your "confusion" post as testy at all, happy to clear it up for you.

As far as security goes, nothing I say is going to change your mind on this, but I'll simply remind you that Tim Cook has been very clear on this point -- under oath in front of Congress, in many public statements, and elsewhere. He is legally liable in his capacity as CEO not to make false statements, nor does he seem in the slightest regard insincere, so not only do I take him at his word, the entire company has put itself out there on the record regarding privacy, and again are legally bound by these statements:

http://www.apple.com/privacy/

I entreat you to read all four sections of this webpage, and see if you feel the same way about the matter.

[DiabloConQueso]

It would be interesting to see how many people who are concerned about their privacy, specifically as it stands with regard to Apple's services, use any of the following services:

- Google anything (Gmail, Google Drive, Google Docs, etc.)
- Dropbox
- Facebook
- Any kind of IMAP/POP email service
- AT&T/Comcast/Time-Warner/Verizon/CenturyLink/Charter/Cox/Sprint/Clear internet service (DSL, cable, fiber, satellite, WiMAX, etc.)

...and whether they'd rate Apple more or less "trustworthy" than any of those services.

[Spheric Harlot]

Originally Posted by just a poster 

@flying not so much. I guess I fear institutionalized spying more than a random hacker.

Apart from what Charles wrote, how is staying on Mavericks changing your transparency and privacy status over moving to Yosemite?

I mean, there are reasons not to go to Yosemite just yet, but privacy concerns are not one that makes any sense.

[Chongo]

Originally Posted by just a poster 

"Amount of work" is a Soviet excuse. California law requires a company to support its product for a minimum of 7 years, so I don't think patches won't be forthcoming.

Note to the editors: I used to keep track but nowadays can't follow the code names for Apple products any longer. Yosemite? Which one is that? Mavericks? Which one is that? How about using numbers of the OS instead: 10.9, 10.10, etc. It saves me a search.

If this is true, why hasn't Apple issued a fix for the slide show issues with iDVD?

[DiabloConQueso]

"Supporting a product for 7 years" doesn't necessarily mean being forced to fix every, single major or minor bug that exists in the product. iDVD (despite DVDs being age-old media these days) is still a very viable and usable piece of software despite the bug you mentioned.

[Chongo]

Adding a slide show is useless now because the pictures are discolored. I make videos of family events and pictures are a big part of the DVD. The DVDs are usually for older family members who aren't tech savvy and still use DVD/BluRay players.

[Spheric Harlot]

Build the slideshow in iMovie instead and burn that.

[Chongo]

Originally Posted by Spheric Harlot 

Build the slideshow in iMovie instead and burn that.

I will try that. I was going to make a book in Photos from pics from my late brother-in-law's last birthday party, but it would be over $100. Unfortunatly it was one of the few time I did not shoot video. I still will get Toast because it can do BluRay authoring. I bought a Pioneer DBXL BluRay/DVD burner for the new iMac.

[Chongo]

I'm not sure if this was on option with iPhoto. I was see that Photos has a slide show export that turns it into a .M4V file. I made one and it pulls into iDVD.