How to protect OS X from the ‘rootpipe’ vulnerability

“A relatively long-standing vulnerability in OS X has been uncovered by a Swedish hacker, Emil Kvarnhammar, who has dubbed it ‘rootpipe’ by the so-far undisclosed method in which it can be used to take control of your Mac,” Topher Kessler reports for MacIssues. “In this vulnerability, a flaw allows a hacker to gain administrative access of a system without supplying a password, and then be able to interact with your Mac as an administrator.”

“In contacting Apple about the issue, Kvarnhammar did not get a response; however, Apple has agreed upon a date in January for full disclosure of the vulnerability’s details, suggesting Apple has indirectly acknowledged the issue and is developing a fix to be out by then,” Kessler reports. “In the mean time, this and other privilege-escalation vulnerabilities can be managed by taking two important security steps with your Mac: Use a standard user account [and] use FileVault.”

Read more in the full article here.

15 Comments

  1. One important question is whether this vulnerability requires direct physical access to the device.

    These work arounds are already commonly used. It’s easy enough to validate administrative changes from a standard user account, and who isn’t encrypting with File Vault in the post-Snowden era.

    1. I have always wanted to do this, but just couldn’t pull the trigger.

      Do most people do this?
      Does it slow down the Mac?
      Does it increase used space on the hard drive?

      1. In response to your question:

        I use both Filevault and a Standard user account.

        It doesn’t slow down my Mac at all (and I have a 2008 Core 2 Duo iMac).

        I don’t recall how much disk space it uses but FileVault encrypts and decrypts your information in such a way that I literally forget that I even have it engaged.

        One thing that I think is worth mentioning is that YOU MUST HAVE COPIES OF YOUR FILEVAULT PASSWORD because if you lose that password, and for some reason need to restore you data, you’re screwed.

    2. Well, the administrator has to already be logged in – otherwise, there is no “privilege escalation”. Administrators are just standard users except for the ability to perform administrative tasks only after they re-enter their password.

      This vulnerability apparently allows *you* or a malicious program to gain admin privileges without needing the password. So yeah, it has to happen locally.

    3. Exactly mike (the good one!). Meanwhile, some rather irresponsible tech journalists are suggesting ‘rootpipe’ might have anything to do with remote access, infection and subsequent PWNing of Macs. Extremely doubtful. But we might get to wait two months to find out. 😛

  2. The first User ID created in OS X is 501 and it is designated to be admin. A lot of system functionality is tied to 501 being admin and demoting 501 to a regular user may bite you in the ass later on. Better is to simply copy your files to the new regular user and settle in there. iCloud KeyChain and the likes of 1Password will migrate the bulk of your passwords and iCloud itself will migrate a lot of other stuff.
    In the end it is more work, but you will end up with a sound system and a user configuration as it should have been in the first place: Admin just for admin tasks and regular users for work. Apple created the OS X “depleted” admin because it realised that it would not be able to sell this (standard) way of setting up the system to its customers. It compromised and it worked out well for them. But by doing so it created the possibility for a situation like this.

  3. You would have to download a malicious app to be affected, which I feel like I already know how to avoid. Just need to be bit more careful, knowing that apps can potentially get root access without a password.

    I’ll consider moving to a standard account if this becomes anything more than a proof of concept.

  4. There is an extremely high FUD and paranoia factor going on around ‘rootpipe’. The meagre video demo of it in action only shows a rootkit planted on an OS X Yosemite machine, indicative of nothing more than the bad guy having direct access to the computer, as in walking up to it, installing the rootkit. then running it.

    While we wait to find out if this is anything more than some lame publicity stunt, (and that wait may be until January!), the white hat’s provided recommendations, echoed here by Topher, are always a good idea.

  5. Apple needs to get off of it’s ass and put fingerprint readers in the keyboards so people will use passwords and accounts more effectively. Nothing is stopping Apple from including a fingerprint reader on the Apple Keyboard or Trackpad except the desire and intent.

    Used to have this ability until Apple bought AuthenTec and shut the company down. They then broke support for the Fingerprint readers with Mavericks. Smooth Move, Tim.

    The point is that the legitimate fears of many that losing files to FileVault over a lost password could easily be handled by a fingerprint reader in either the Apple Keyboard or the Apple Trackpad. They might even be able to figure a way to include it in the Mouse.

    1. As I’m sitting here reading your post, with my right thumb on the left side of the mouse, all I can think is how lefties will complain about only right handed mice being available. I like the concept, though!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.