In October 2014 a Swedish hacker by the name of Emil Kvarnhammar claimed to have found a very serious security backdoor in OS X 10.7-10.10 that could be potentially exploited to allow full root access. He called this vulnerability Rootpipe, and for the first time in OS X history there was legitimate concern that Mac malware could be on the horizon similar to what’s found in the Windows world… the bad kind where a hacker could gain full access/control to the Mac without the user’s knowledge. In theory this could be delivered simply by visiting a webpage with malicious Java or Flash code exploiting the Rootpipe backdoor.
Emil posted a video showing his initial findings, did an interview with Macworld, contacted Apple about what he found, and reported the issue to US-CERT. Apple told him they would patch it, and Emil promised Apple he would not disclose anything else until then.
On 4/8/15 Apple finally included a patch for Rootpipe with the OS X 10.10.3 update. Apple also released Security Updates for OS X 10.8 and 10.9 at the same time, but these Security Updates DID NOT include the Rootpipe patch.
Following Apple’s release of the OS X 10.10.3 update, Emil disclosed full details about the Rootpipe vulnerability on his TrueSec blog, including proof of concept code.
So on the surface this looks like a bad scenario… Apple has only released a Rootpipe patch for Yosemite, and the Rootpipe code has been publicly posted for any hacker to exploit. Unfortunately things aren’t a cut and dry as they would appear.
Over the last couple of weeks a slew of questionable information has been circulating through the web… most notably hundreds of websites alerting people that they should immediately upgrade to OS X 10.10.3 no matter what version of OS X they are running, because Apple is refusing to release a patch to address this vulnerability with older versions of OS X.
I’ve been actively researching this situation, and in a nutshell I’ve concluded there is no need to panic (or upgrade to Yosemite) if you are running OS X 10.9 or older.
Here’s my assessment on Rootpipe as of 4/20/15:
- Several security blogs are claiming that the Rootpipe vulnerability still exists in OS X 10.10.3, and that Apple’s patch is incomplete. The security firm Synack has even posted a video of Rootpipe being exploited in OS X 10.10.3.
- Apple never publically stated that they won’t be releasing a Rootpipe patch for older versions of OS X. The rumor that Apple is only patching Yosemite steams from this unsubstantiated comment on Emil’s blog… “Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older”.
- Although it would appear that the proof of concept code Emil posted to his blog could be used to create some very nasty malware, to date no threat has surfaced. It’s quite possible that Emil is exaggerating the actual risk, and malware exploiting Rootpipe may never materialize “in the wild” due to other inherit security aspects of OS X: Including, Gatekeeper, sandboxing, and XProtect.
- The Reverse Engineering Mac OS X blog has examined the Rootpipe patch included in OS X 10.10.3, and have posted code for how to potentially patch this in Mavericks. If Apple never releases Rootpipe Security Updates for older versions of OS X, it’s quite possible the open source community will if/when necessary.
- In my opinion, Apple likely released the Rootpipe patch with OS X 10.10.3 knowing it was incomplete, and that’s why they didn’t include it with the last round of Security Updates for OS X 10.8 and 10.9. Because Apple has a history of always releasing security patches for the previous two versions of OS X, and because they haven’t publicly stated anything about this situation, I’m hesitant to believe all the hype.
My assessment on Rootpipe will change immediately if tomorrow malware surfaces “in the wild” that exploits it. But for the moment I’m just recommending that you have all the Apple updates applied for the version of OS X you are running.