Users of Apple’s Mac OS X are being warned to watch out for not one, but two new weaknesses in the platform which can be used in attacks – one of which is already in the wild.
The first, known as Rootpipe, affects multiple versions of Mac OS X, including the newest release, Yosemite. It lets an attacker gain “root” control of a computer, the highest level of access, without having to know a password.
Rootpipe could theoretically allow a hacker to install any malicious software that could be used to steal credit cards details or other personal data, among other things.
The other, called Wirelurker, is the first malware seen in the wild which targets iOS devices that haven’t been jailbroken. Wirelurker could be used to extract basic personal information from a phone. It tricks the user into installing it on their Mac, and then waits until an iPhone or iPad is plugged in over USB before using the trusted relationship between the two to install software on the mobile device.
Discovered by the Swedish hacker Emil Kvarnhammar, who works for security firm Truesec, Rootpipe is what’s known as a privilege escalation vulnerability. Modern operating systems employ several tiers of security, ensuring that a typical user can’t accidentally authorise software to damage their computer. The highest level of access, known as “root” access, is typically cordoned off from all but the most essential program.
Rootpipe is a vulnerability in Mac OS X which lets an attacker ignore that requirement, and access the root of the computer without needing a password. “Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin cant gain root access without entering the correct password. However, rootpipe circumvents this,” Kvarnhammar told MacWorld.
If abused, the vulnerability would malware developers far greater scope to damage a user’s computer without needing to ask, or trick, them into entering a password.
The hacker has reported the vulnerability to Apple, and is withholding further information on how, exactly, to trigger it until the company rolls out a patch to affected users – refusing even to get into the source of the name, since that reveals information which could be used to replicate the attack.
In the meantime, he says the simplest way to protect a computer is to stop using an administrative account on a day-to-day basis, instead using a normal user account unless something needs administrative privileges. He also recommends using Apple’s FileVault system, which is turned on by default in Mac OS X Yosemite.
Unlike Rootpipe, Wirelurker is already present in the wild, hitching a ride on certain versions of pirated Chinese software. When the user runs the pirated software, they accidentally install the malware as well.
Wirelurker then hangs around the infected system until the user plugs in a mobile device with a USB cable, at which point it scrapes personal data and attempts to install malicious copies of apps. If the user’s device is jailbroken – hacked, to let them install software without Apple’s permission – then it steals far more information, such as old iMessages and the contents of the user’s address book.
Currently, versions of the malware seen in the mild are fairly innocuous, seemingly more concerned with identifying the users of the pirated software than inflicting further harm. But the techniques used, which abuse Apple’s iDevice management systems, could open the door to much more damaging malware.
“WireLurker is unlike anything we’ve ever seen in terms of Apple iOS and OS X malware,” says Ryan Olson, the intelligence director of Palo Alto Networks, who discovered the malware. “The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world’s best-known desktop and mobile platforms.”
For users who have made a habit of downloading pirated Chinese software, Palo Alto Networks have released a detection tool to check whether they are infected with Wirelurker.
Apple did not respond to a request for comment.
This article was written by Alex Hern, for theguardian.com on Thursday 6th November 2014 13.36 Europe/Londonguardian.co.uk © Guardian News and Media Limited 2010