tpwn OS X exploit: What you need to know

“tpwn is a vulnerability that affects OS X 10.9.5 Mavericks through OS X 10.10.5 Yosemite, but does not affect the currently-in-beta OS X 10.11 El Capitan,” Rene Ritchie reports for iMore.

“With tpwn, malicious code on your Mac could escalate its privileges — gain ‘root’ access — and potentially exploit the system,” Ritchie reports. “The vulnerability was released without warning — also known as a 0day — and without prior disclosure to Apple. That means Apple learned about it pretty much when the rest of the world did.”

“There’s no indication of attacks based on twpn ‘in the wild’ and so the vast majority of people have very little to be concerned about at the moment. twpn would also need to be used in conjuncture with something else, like a social engineering attack that conned you into letting it onto your Mac, before it could do anything,” Ritchie reports. “So, the usual advice applies: Don’t download software from any source you don’t absolutely trust.”

Read more in the full article here.

MacDailyNews Note: Here’s our usual oft-repeated reminder for Mac users and anyone who’s trying to use any other platform: Do not download and authorize the installation of applications (Trojans) from untrusted sources. No OS can protect users from themselves (or we wouldn’t be able to install any software). Those who grant attackers access to their Macs, should not be surprised to find their Macs are compromised.

Teen uncovers two zero-day vulnerabilities in OS X – August 17, 2015


  1. My most excellent colleague Topher Kessler covered these security vulnerabilities much better, and before René Richie:

    New Zero-Day memory injection vulnerability discovered in OS X

    And PCWorld beat Topher:

    Italian teen finds two zero-day vulnerabilities in Apple’s OS X

    There’s a tool out called NULLGuard, provided by Luca Todesco, who discovered these vulnerabilities, that can block related exploits. But before you consider trying it, read through Topher’s article at He has some very relevant advice.

    1. BTW: For the sake of “†” and other people yawning about OS X security flaws:

      Last week Apple provided updates with massive security patches included. Massive is not an exaggeration. Like all software, Apple has to endure and patch an incredible number of coding mistakes and oversights. It’s the state of the art; It’s a mess.

      BUT, over the last year Apple has literally been sitting on its lazy butt regarding too long a list of security problems. Apple has STILL not fixed the Thunderstrike 2 EFI rootkit security hole, although they’ve been trying.

      Therefore, publicizing ongoing, unpatched, dangerous OS X and iOS security holes has become IMPERATIVE if only to give Apple a steal-toed boot kick up the arse and motivate them to solve these problems ASAP instead of as long as 9 bloody months after they’ve been reported to them. Not kidding. That’s outrageous Apple.

      And yes Apple-haters. We Apple fanbois are Apple’s BIGGEST critics. So step aside. WE do the kicking of Apple’s butt around here. Watch and learn, then take your newly acquired skills home to do the same to your Android and Windows crapware providers. 😛

      1. How many more years of poor security support will we endure from Apple before the fanboys admit that Apple is rapidly becoming the new Microsoft? Yes, it is getting that bad.

        1. What is it with the hallucinating Apple haters these days? I go OCD about Apple sitting around for months pondering security flaws reported to them, and suddenly ingestion of psychedelics in certain individuals turns Apple into something remotely as ridiculous as MICROSOFT.

          Q: Has Apple every perpetrated anything as ridiculous as ActiveX, that proprietary Internet ‘standard’ that is a WIDE OPEN GATEWAY to infect Windows users with malware?

          A: NO.

          Get some perspective, LSD waste cases. Sheesh. 😛

          1. I personally like the analogy I use when people state that Apple has “viruses” too:

            Sure, with an Apple you risk a pigeon shitting on your head, with Microsoft you risk being covered by the contents of a cesspit…..

            1. And Android too. There is now a seventh Stagefright exploit in the wild unpatched. There are hundreds of thousands of Android devices that are vulnerable and locking up the device only takes a single MMS message. OMFG.

              Meanwhile, there is a new iOS exploit called ‘Quicksand’ that is exclusive to enterprise iOS devices, requires direct access to the target device or a Trojan to be installed by the intended victim, so complicated to enact that it’s an almost total snoozer. It’s related to the ‘Masque Attack’, which Apple refuses to close. But the number of pwned iOS devices is teeny tiny.

              – What a comparison.

              There’s no such thing as perfect security. Lawd knows Apple patched a massive pile of security flaws last week. But consistently, Apple’s somewhat compromised attention to security still runs rings around all the alternatives except other BSD Unix OSes and Linux.

              IOW: Yup! It sucks to be stuck on Windows and/or Android.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.