Apple's recent patch to fix a serious privilege escalation vulnerability in OS X Yosemite can be easily circumvented, a security researcher said.
Labeled "Rootpipe" by its finder, Emil Kvarnhammar of Swedish security company TrueSec, the bug could let attackers gain full access to a targeted Mac without having to know the administrative account's password -- dubbed "root access" -- making it a breeze to silently install malware on the machine. Kvarnhammer disclosed the flaw last fall.
Apple pushed a patch for Rootpipe to Yosemite -- but not older editions of OS X -- on April 8 as part of the 10.10.3 update.
But the patch didn't close the hole, alleged Patrick Wardle, director of research at Menlo Park, Calif.-based Synack, a security startup that markets a vulnerability testing framework.
On his personal blog, Wardle briefly tipped the problem with Apple's patch. "I found a novel, yet trivial way for any local user to re-abuse Rootpipe -- even on a fully patched OS X 10.10.3 system," Wardle wrote on Saturday.
Wardle did not reveal technical details of his work-around, but said he had reported his findings to Apple.
Rootpipe is not just a theoretical vulnerability of interest to legitimate researchers: According to FireEye, malware exploiting the privilege escalation bug in OS X Mavericks -- Yosemite's predecessor -- and older editions has been circulating since at least mid-August 2014.
Other researchers chastised Apple for not properly fixing Rootpipe, adding to criticism that heated up earlier this month when Kvarnhammar said Apple had told him it would only patch Yosemite.
"I'm curious about next Apple fix attempt regarding rootpipe eh eh eh eh eh ;-)," tweeted Pedro Vilaça, an independent security researcher who specializes in OS X and iOS.