Teen uncovers two zero-day vulnerabilities in OS X

“An Italian teenager has found two zero-day vulnerabilities in Apple’s OS X operating system that could be used to gain remote access to a computer,” Jeremy Kirk reports for IDG News Service.

“Luca Todesco, 18, posted details of the exploit he developed on GitHub,” Kirk reports. “The exploit uses two bugs to cause a memory corruption in OS X’s kernel, he wrote via email. The memory corruption condition can then be used to circumvent kernel address space layout randomization (kASLR), a defensive technique designed to thwart exploit code from running. The attacker then gains a root shell.”

“The exploit code works in OS X versions 10.9.5 through 10.10.5. It is fixed in OS X 10.11, the beta version of the next Apple OS nicknamed El Capitan,” Kirk reports. “Todesco, who said he does security research in his spare time, said he notified Apple of the problems ‘a few hours before the exploit was published.'”

Read more in the full article here.

MacDailyNews Take: Gee, thanks for the “few hours” notice, asshat.

21 Comments

  1. If Apple paid him a monthly stipend, he will graciously give them 30 days notice. Certainly he would hate to see something happen to Apple and Mac OS…

    Think of it as a kind of insurance policy.

      1. That could be a terrible mistake. You knows, the boys get a little antsy and clumsy. Things start to break. Who knows the the whole thing could come down, accidentally like. This kid, he’s got a brother, an inspector of sorts. He should pay Apple a visit, let them know how to fix things that get broke.

        /s

  2. Such as it may be, Apple has been slow to fix some security issues. Second, there will be more hasty people like Luca Todesco. Third, my impression is that Apple is not exactly cooperative with all third parties on fixing bugs, including security bugs. Fourth, how did this bug slip thru.

    Of these 4 aspects, 3 are in Apple’s court, but MDN take focussed on the non-Apple aspect.

    1. This kid publishing it *IS* the big issue.

      He tries to come across as a white hat hacker, but gives Apple only a few hours to fix a bug before he publishes the exploit? Doing that does NO ONE any good (other than getting his name out there for his 20 minute of fame).

      Yes, Apple has been slow to fix some security issues. Name ONE, yes just one, company that has always fixed ALL security issues promptly. Even Google with its own outing list of other companies bugs and security faults has sometimes taken many, many months to fix some security bugs, and don’t get me started on Microsoft and the rest.

      Apple *is* cooperative with most white hat security people. What Apple refuses to do is give those hackers the raw source code to the entire system — and believe it or not, some of those so called white hat hackers have demanded that kind of access. “If you want me to fully demonstrate the bug and help with a fix, then you must give me direct access to the raw code.” When Apple refuses those same hackers go ballistic and claim Apple won’t work with them. Yes, Apple will work with hackers, UP TO A POINT.

      How did this bug slip through? It’s a complex bug. Anyone who has done a decent amount of programming (done it for more than a decade and more than just scripting) knows that bugs happen. They just do. I don’t think I’ve ever written a program that had more than a few thousand lines of code that did not have a bug. You just take your time and *eventually* you hope to dig them out and fix them.

      On something as complex as OS X no one can envision all the possible routes through the software. No one. And, with nearly yearly updates to the code, it is literally impossible to squash every bug before the operating system gets into the wild.

      1. I think hackers who publish exploits for hacking a system should be held accountable for the results, until the company owning the affected code has had a reasonable amount of time to fix it.

        With that scenario, the companies should be incentivized to REWARD these people for informing them of the flaw, which would then encourage them to find more and quietly report them back to the company to fix.

        Everyone wins.

        Well, except for the asshats who would have exploited the flaw for illegal purposes. But f*** them anyway.

  3. If you look at the exploit code, it’s no wonder that it works. We’re not talking about a simple “bug”… dozens of lines of code, loops, memory pressure, etc.

    Looking at that code makes me have more respect for Apple engineers in trying to keep this stuff from being exploited.

    Think of it like expecting a car company to build a small 2-seater car that is expected to pull 10 train-cars filled with coal.

    This Italian teenager is basically brute-forcing the system into having a heart attack.

  4. MDN blames some poor kid for Apple’s error. Did Apple warn consumers about this problem?

    I’m glad to read that the exploit was corrected for El Capitan which means Apple knew the problem existed. Should Apple have corrected this exploit for earlier versions of OS?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.