Apple issued an OS X Yosemite update earlier this month which remedied a flaw known as Rootpipe. First discovered last October by security researcher Emil Kvarnhammar (yet having existed since at least 2011), the flaw allows bad actors to gain root access to a system through a backdoor in the system preferences app.
A second security researcher, Patrick Wardle, attempted to exploit the vulnerability on a patched machine and was apparently able to pull it off.
In a post on Objective-See, Wardle said he was on a return flight from a conference when he stumbled upon what he describes as a novel, yet trivial way for any local user to re-abuse Rootpipe. Wardle didn’t provide the technical details of the attack in the spirit of responsible disclosure (except to Apple, of course) but wanted other OS X users to be aware of the risk.
In an e-mailed statement to Forbes, Wardle said he was tempted to walk into an Apple store and try the exploit on a display model but stuck to testing it on his personal laptop.
Wardle, currently the director of research and development at security firm Synack, has made a name for himself in the security community by presenting at conferences including DefCon, VirusBulletin, ShmooCon and CanSecW.
Apple could have its hands full with Rootpipe. Another security researcher, Pedro Vilaça, told the publication that the original fix was doomed since its release because there are so many ways to bypass it “due to the wrong fix design.”
Apple has also been criticized for only issuing a patch for OS X Yosemite, effectively leaving a large number of Mac users vulnerable.