Back in October 2014, a Swedish White Hat hacker Emil Kvarnhammar claimed to have discovered a critical privilege escalation vulnerability, he dubbed the backdoor as "RootPipe," in some versions of Mac OS X including the then newest version 10.10 Yosemite.
The vulnerability (CVE-2015-1130) could allow an attacker to take full control of your desktop Mac computer or MacBook laptop, even without any authentication.
Keeping in mind the devastating effect of the RootPipe vulnerability, the researcher privately reported the flaw to Apple and did not disclose the details of the flaw publicly until the company released a patch to fix it.
Apple did release an update but failed to patch RootPipe:
Earlier this month, Apple released the latest version of Mac OS X Yosemite, i.e. OS X Yosemite 10.10.3, and claimed to have fixed the so-called Rootpipe backdoor, which had been residing on Mac computers since 2011.
However, the company did not fix the flaw in the older versions (below 10.10) of the operating system due to uncodified Apple policy on patching, leaving tens of millions of Mac users at risk.
"Apple indicated that this issue required a substantial amount of changes on their side and that they would not backport the fix to 10.9.x and older," Kvarnhammar said in a blog post on the TrueSec website.
But here’s the worse part:
Apple’s RootPipe vulnerability patch for Mac OS X Yosemite 10.10.3 is claimed to be itself vulnerable, which again left all the Mac machines vulnerable to the RootPipe attacks.
Patrick Wardle, an ex-NSA staffer and current director of R&D at Synack, claimed to have discovered…
...a new way around Apple's security fix to reabuse the Rootpipe vulnerability, again opening path to the highest privilege level – root access.
Though this time, the attack requires a hacker to have gained local privileges, which could most likely be obtained via a working exploit of other software sitting on Mac machines.
Here’s the Video Demonstration:
Wardle has demonstrated his hack attack in action in a video proof-of-concept (POC), which you can watch below:
Wardle has already reported his findings to the Apple’s security team and would not disclose the details of his attack code public before the company will not issue a complete and unbreakable fix.
Now, let's just hope to get a tough fix for Rootpipe backdoor this time from Apple. Last time the company took nearly six months to release a patch that was fooled by Wardle sitting on a flight.