Apple has fixed a bug in its desktop operating system that could have given hackers access to the entire OS.
Released on Thursday, Mac OS X 10.10.5 resolves scores of holes and technical glitches. But one serious bug in particular was squashed along with the rest. Known as DYLD, this vulnerability in Apple’s OS X was considered serious because it enables hackers to remotely run a program on a Mac using administrator rights, which opens up wide access to the entire operating system. The vulnerability had already been exploited “in the wild,” or in the real world, according to the Guardian, with at least one adware installer taking advantage of it.
The Mac OS has long enjoyed a reputation as more secure than Windows. But just like Microsoft, Apple has to do its fair share of patching with regular updates and bug fixes. The latest update resolves more than 100 different bugs affecting Bluetooth, QuickTime, the Mac OS X kernel, the Mac’s Notification Center and other features. In the past, Apple has sometimes been slow about patching individual bugs, whereas Microsoft rolls out a series of patches on a monthly basis through its Patch Tuesday program.
Apple’s details on the bug fix, which is available for OS X Yosemite versions 10.10 through 10.10.4, said that with the vulnerability, “a local user may be able to execute arbitrary code with system privileges.” Apple noted that the problem was due to a “path validation issue” in DYLD and that the issue was addressed through “improved environment sanitization.” Apple did not immediately reply to CNET’s request for a layman’s explanation of these terms.
The DYLD bug was first reported by security researcher Stefan Esser. In a tweet posted late Thursday, Esser said: “Hmm so Apple released 10.10.5 fixed some bugs and made another security problem worse than before.” Esser didn’t reveal which security problem was allegedly made worse. But he reportedly has advised Mac users not to uninstall his SUIDGuard kernel extension, which guards against attacks that take advantage of the DYLD hole, according to security news site SecurityWeek.
Source: Yahoo Tech