A new Apple Mac OS X zero-day flaw has been discovered by an 18-year old Italian security researcher – and publicised before Apple has even had a chance to respond.
The potential exploit comes in the form of a privilege escalation flaw, via a bug in Apple’s IOKitLib developer API’s interface code. A flaw in the way OS X handles null pointers (a programming language object that should ordinarily refer to another value, but in the case of a “null” pointer, does not refer anywhere) can be exploited in order to inject custom code.
The researcher, Luca Todesco, revealed that the flaw would only affect Macs running OS X Yosemite and Mavericks, versions 10.10 and 10.9. El Capitan, 10.11 – the latest version of OS X – is not affected, although it is only in the beta test phase.
Todesco – whose Twitter account rather ironically carries the legend “Responsible disclosure is killing the 0-day industry” broke news of the exploit on GitHub, coming under criticism from the security community for making knowledge of it public before Apple had time to devise a fix.
The researcher also defended his actions on Twitter, saying, “There are a few reasons to drop a full kernel [zero-day] PoC [proof-of-concept] on Github. Apple’s slowness is not one of them”.
Symantec has also looked into Todesco’s claims and confirmed the validity of the flaw.
“The exploit uses two different vulnerabilities to create a memory corruption in the OS X kernel,” wrote Symantec Security Response.
“This is then used to bypass security features that block exploit code from running, providing the attacker with root access.”
Symantec also notes, however, that an amount of social engineering – as is often the case with OS X exploits – is required in order to make exploitative code run.
Nevertheless, “while the vulnerabilities require the victim to voluntarily run an application in order for an attack to be successful, they represent a threat until a patch is published by Apple,” Symantec has advised.
Apple is yet to publicly comment on Todesco’s work.