If you ask most casual Mac OS X users why they made the switch from Windows to Apple’s OS X, an overwhelming amount of them will talk about ease of use and the lack of malware. For many Apple fans, having the sense of security that Mac OS provides is more than enough to pay the premium associated with Apple products.
On Monday, security researchers at Malwarebytes stumbled across an installer that is capable of exploiting systems without the need for a system password.
What’s the Skinny?
In a recent update to OS X — affecting 10.10.4 and 10.10.5 versions of OS X — developers overlooked standard safeguards which have allowed hackers to view and create files with root privileges. This severe exploit has allowed hackers to infect Macs with adware and junkware through malicious installers without needing the user’s password to gain root access to the system.
In a recent blog post Malwarebytes goes into deeper technical detail about how hackers are able to exploit the flaw.
Users Running 10.11 Are Golden
Stefan Esser, a security researcher at Malwarebytes, has said that the flaw is currently present in 10.10.4 and possibly in some versions of 10.10.5 of OS X. Esser said on Twitter that the exploit is apparently fixed in the 10.10.5 beta “2”. Users currently running 10.11 have nothing to worry about since researchers are unable to reproduce the bug while running this version of OS X.
Wait for the Patch
The fix in the 10.10.5 beta and the absence of the bug in 10.11 is a good sign that Apple is currently hard at work trying to patch the flaw for users across the board. Unfortunately, for systems still running 10.10.4, there is no real fix available at the moment. Esser has produced a third-party patch, but says that this could also potentially be a problem since it isn’t made by Apple.
So, for users currently at risk, browsing the internet is potentially dangerous. Esser’s patch can be found here, but Apple advises against installing any type of third-party patches, and suggests users just hang tight until they can get an official patch out soon.
