Advertisement

OS X flaw leaves Macs vulnerable to attacks, no password required

The latest version of OS X contains a serious flaw that hackers can use to attack your computer without ever needing your password. The issue is around a hidden document -- Sudoers -- which is effectively a list of permissions as to which pieces of software are allowed to mess around with your computer. Unfortunately, a change to how Yosemite stores the list means that it's now possible to add malware to the register. As such, if you inadvertently run an offending script, hackers can take advantage of your computer's unwitting hospitality to install crapware like VSearch and MacKeeper.

The vulnerability was discovered by old-school iOS jailbreaker Stefan Esser who, according to MalwareBytes, is accused of publicly revealing the flaw before telling Apple. That's a big faux pas in the security community, with Google going toe-to-toe with Microsoft about revealing as-yet un-patched flaws that have a real risk of harming users.

Esser has offered-up his own kernel extension that could protect your machine against such attacks, which can be downloaded here. As Ars Technica says, however, installing a patch that didn't come from the original developer can be a risky business and you should do so only if you know what you're doing. Naturally, we've reached out to Apple in the hope of getting some official comment on when a patch will be released, but the company had yet to respond at the time of publication.

Update: As you can see in the tweet below, Stefan Esser now believes that the particular hole has been closed in the beta version of OS X 10.10.5. In addition, people familiar with the matter have told us that the company is being proactive behind-the-scenes to ensure that its customers are protected.