Developer reveals Mac security hole without telling Apple

The 'tpwn' exploit in a Mac's command-line terminal

Typically, coders and researchers who discover security vulnerabilities in software will tell the companies involved before posting their findings — it’s a courtesy to make sure that those holes are patched before attackers can use them. Don’t tell that to developer Luca Todesco, though. He recently posted details of an OS X exploit, “tpwn,” that lets intruders get root-level access to your Mac (even if it’s running the recent 10.10.5 update) without even telling Apple, let alone waiting for a patch. It’s now a race between the Cupertino crew and malware writers to make use of the discovery.

We’ve reached out to Apple to find out what it’s doing in response to the flaw, and we’ll let you know if it has something to share. However, Todesco isn’t about to have a change of heart. He contends that an unofficial solution will protect you if you’re not willing to wait, and that this isn’t any different than publishing details of an iOS jailbreak (which takes advantage of security flaws to let you install unofficial software). Those are technically true, but they downplay the practical dangers of publishing this info. Many people aren’t knowledgeable enough to try third-party safeguards or deal with the possible side effects, and jailbreaks are at least intended for semi-innocuous purposes. A ‘surprise’ exploit for the Mac only really serves to give attackers time that they wouldn’t otherwise have.

Filed under:
, ,




Tags: apple, exploit, internet, kpwn, mac, osx, security, tpwn, vulnerability, zero-day

Source: Engadget - Read the full article here

Author: Daily Tech Whip

This article is part of our 'News Tiles' service. The site is currently in Beta. When it is fully operational you will be able to search through and arrange the 'Tiles' to display a keyword, product or technology over your chosen time period. For example you would be able to display all of the leading tech articles on the new Kindle Fire, in one spot in real time. You will also have access to our own original reporting and analysis as well as a polished place to post your own thoughts & reviews here, amongst the Daily Tech Whip Community. Please let us know if you have any feedback via the contact form or via Twitter. Don't forget to come back next week and see our full site and claim your name and your own free tech blog.

Share This Post On