vulnerability Stories November 28, 2017

Update #2: An official fix is now available; no restart required.

Update: An Apple spokesperson has issued the following statement, saying an update is in the works:

“We are working on a software update to address this issue. In the meantime, setting a root password prevents unauthorized access to your Mac. To enable the Root User and set a password, please follow the instructions here. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.”

A newly discovered macOS High Sierra flaw is potentially leaving your personal data at risk. Developer Lemi Orhan Ergin publicly contacted Apple Support to ask about the vulnerability he discovered. In the vulnerability he found, someone with physical access to a macOS machine can access and change personal files on the system without needing any admin credentials.

Users who haven’t disabled guest user account access or changed their root passwords (likely most) are currently open to this vulnerability. We’ve included instructions on how to protect yourself in the meantime until an official fix from Apple is released.

expand full story

vulnerability Stories December 19, 2016

macOS 10.12.2 fixed vulnerability that allowed Thunderbolt device to obtain password from locked Mac [Video]

Security researcher Ulf Frisk has shared details of a vulnerability in macOS 10.12.1 and lower that allowed anyone with physical access to a locked Mac to quickly and easily obtain the password simply by plugging in a $300 Thunderbolt device.

vulnerability Stories November 11, 2016

Security conference organizer Vangelis has tweeted that a joint team of Pangu and JH hackers have successfully claimed the maximum $100,000 prize on offer at the PWNFEST event for finding a Safari exploit that gave them root access on macOS Sierra …

expand full story

vulnerability Stories February 9, 2016

A new vulnerability in Sparkle has put a “huge” number of Mac applications at risk for hijacking. For those unfamiliar, Sparkle is a tool used often by third-party apps that are not in the App Store to allow updates to be pushed to users. Apps susceptible to this hijacking hack include Camtasia, uTorrent, DuetDisplay, and Sketch. The attack applies to both OS X Yosemite and El Capitan (via Ars Technica).

expand full story

vulnerability Stories June 2, 2015

A serious vulnerability in Macs more than a year old would allow an attacker to take permanent control of the machine, retaining control even if the user reinstals OS X or reformats the drive.

The vulnerability was discovered by security researcher Pedro Vilaca, who found a way to reflash the BIOS – code stored in flash memory, not on the drive. This means that the machine remains compromised even if the hard drive is physically replaced …  expand full story

vulnerability Stories April 21, 2015

A former NSA staffer says that the OS X 10.10.3 update which Apple claims fixed a significant security vulnerability has failed to do so, reports Forbes. Patrick Wardle, who now heads up research at security firm Synack, demonstrated the vulnerability in a video (without revealing exactly how it was done) to allow Apple time to issue a further fix.

The Rootpipe vulnerability allows an attacker with local access to a Mac to escalate their privileges to root – allowing them full control of the machine – without further authentication. A second security researcher confirmed the flaw …  expand full story

Powered by WordPress.com VIP