OS X flaw leaves Macs vulnerable to attacks, no password required

The latest version of OS X contains a serious flaw that hackers can use to attack your computer without ever needing your password. The issue is around a hidden document — Sudoers — which is effectively a list of permissions as to which pieces of software are allowed to mess around with your computer. Unfortunately, a change to how Yosemite stores the list means that it’s now possible to add malware to the register. As such, if you inadvertently run an offending script, hackers can take advantage of your computer’s unwitting hospitality to install crapware like VSearch and MacKeeper.

The vulnerability was discovered by old-school iOS jailbreaker Stefan Esser who, according to MalwareBytes, is accused of publicly revealing the flaw before telling Apple. That’s a big faux pas in the security community, with Google going toe-to-toe with Microsoft about revealing as-yet un-patched flaws that have a real risk of harming users.

Esser has offered-up his own kernel extension that could protect your machine against such attacks, which can be downloaded here. As Ars Technica says, however, installing a patch that didn’t come from the original developer can be a risky business and you should do so only if you know what you’re doing. Naturally, we’ve reached out to Apple in the hope of getting some official comment on when a patch will be released, but the company had yet to respond at the time of publication.

Filed under:
,

Comments

Via:
Ars Technica, AppleInsider

Source:
MalwareBytes, GitHub

Tags: apple, Flaw, Malware, OSX, Security

Source: Engadget - Read the full article here

Author: Daily Tech Whip

This article is part of our 'News Tiles' service. The site is currently in Beta. When it is fully operational you will be able to search through and arrange the 'Tiles' to display a keyword, product or technology over your chosen time period. For example you would be able to display all of the leading tech articles on the new Kindle Fire, in one spot in real time. You will also have access to our own original reporting and analysis as well as a polished place to post your own thoughts & reviews here, amongst the Daily Tech Whip Community. Please let us know if you have any feedback via the contact form or via Twitter. Don't forget to come back next week and see our full site and claim your name and your own free tech blog.

Share This Post On