Apple preps fix for OS X privilege escalation bug

Apple “will patch a serious ‘privilege escalation’ bug in the next security update to its desktop operating system, Mac OS X 10.10.5, the Guardian has learned,” Alex Hern reports for The Guardian. “A second serious bug, Thunderstrike 2, which can allow attackers to overwrite a computer’s firmware using a malicious webpage, has already been partially patched in Mac OS X 10.10.4.”

“The most notable part of the Thunderstrike 2 vulnerability – which lets attackers create a ‘worm’ which can spread from computer to computer without human intervention – remains unfixed, though some experts have questioned its seriousness. Rich Mogull, a Mac security expert who covers the platform on the TidBITS news site, wrote that Thunderstrike 2 is less severe than it was made out to be,” Hern reports. “Mogull concluded that ‘nearly everyone can ignore Thunderstrike 2 entirely.’ For typical users, the worm is a mostly hypothetical threat compared to the already-patched web infection vector.”

“The Guardian understands that Apple has taken interim measures to prevent further exploitation of the vulnerability, including revoking the credentials of developers who use it, and including any app which does so on the company’s regularly updated list of malware,” Hern reports. “As such, unsuspecting users should be protected against specific attacks until a broader patch is released.”

Read more in the full article here.

MacDailyNews Take: Tempest in a teapot.

Bottom line: The Mac continues to get even more secure.

Thunderstrike 2 worm can infect your Mac without detection, but requires root access – August 3, 2015
Apple secures Macs against ‘Thunderstrike’ attacks in OS X 10.10.2 – January 24, 2015
Macs vulnerable to virtually undetectable malware that ‘can’t be removed’, but physical access is required – January 12, 2015
New proof-of-concept ‘Thunderstrike’ bootkit for OS X can permanently backdoor Macs – January 9, 2015


  1. MDN take is foolish. There is NO secure operating system. If it’s written by humans, then it can be exploited by humans. UNIX is NOT more inherently secure.

    Security is a world wide problem. To hide your head in the sand and say that your OS protects you is foolish and arrogant.

    1. I have a pat answer on my home computer, complete with links, to those who argue Unix, and Mac OS, are as insecure as other operating systems. It boils down to three things. 1. Mac OS ships with very few open ports, so it’s harder to attack remotely. 2. It has a dedicated group of devs who monitor and announce weaknesses. 3. Every function in Unix has to run from one of a very limited number of libraries. There is literally nowhere to hide. So while Mac OS is not infallible, it is very, very secure.

    2. Virulent – while in theory you are technically correct; you are not considering actual real world practice. In practical application: OS X has been the most secure operating system out there. No other operating system can claim the same amount of security for the average end user. And Mac OS X quickly gets better with each obscure security breach.

      In theory you will die any second! Practically that is unlikely unless you are 98+ years old.

      (I find it humorous how as more details are learned about each “its horrible the Mac world is falling” scare mongering: we learn that the vulnerability was minor.)

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.