Connect with us

Hi, what are you looking for?



Apple Failed to Properly Fix “Rootpipe” Bug in OS X: Researchers

Apple’s recent fix for the OS X privilege escalation vulnerability dubbed “rootpipe” isn’t effective, according to researchers.

Apple’s recent fix for the OS X privilege escalation vulnerability dubbed “rootpipe” isn’t effective, according to researchers.

The rootpipe vulnerability was reported to Apple last year by TrueSec security software engineer Emil Kvarnhammar. The security hole (CVE-2015-1130), which exists in OS X’s Admin framework, allows an attacker to gain root privileges. The hidden backdoor can be exploited by a local attacker, but it’s also possible to leverage the vulnerability remotely in combination with other remote code execution exploits.

Apple attempted to patch the flaw on April 8 with the release of OS X Yosemite 10.10.3. However, many people are displeased with the fact that the company decided not to address the vulnerability in older version of its operating system. Apple said it was not backporting the fix to older versions because of the substantial amount of changes required.

However, according to Patrick Wardle, director of research at Synack, not only older OS X versions remain vulnerable to rootpipe attacks. The expert says he has found a way to bypass Apple’s fix.

“I found a novel, yet trivial way for any local user to re-abuse rootpipe – even on a fully patched OS X 10.10.3 system,” Wardle wrote in a brief blog post.

The researcher has notified Apple and he says he’s not providing any technical details until the company releases a proper fix. However, he has published a short video to demonstrate that the attack still works.

Kvarnhammar said he initially believed that using entitlement checks to address the issue was a reasonable approach, but now he too has thought of a way to bypass the checks added by Apple in OS X 10.10.3.

Advertisement. Scroll to continue reading.

Security researcher Pedro Vilaça (@osxreverser) noted on Twitter that there are several ways to bypass Apple’s roopipe fix. German researcher Stefan Esser (i0n1c), an expert in OS X/iOS security, believes that it’s unlikely that Apple will make another attempt at resolving the vulnerability any time soon.

It’s worth noting that it took Apple six months to release the first patch after being notified by Kvarnhammar.

As for the lack of a rootpipe patch for older versions of OS X, Vilaça believes the task is not as difficult as Apple claims. The expert says the company is acting irresponsibly by refusing to protect users of older versions of the operating system, especially since fully working exploits are publicly available.

Vilaça also pointed out in his blog post that a piece of malware had already been exploiting this vulnerability in 2014.

Kvarnhammar also hopes Apple will reconsider and release a patch for older versions as well. However, the expert believes the company is trying to invest a minimum amount of effort in older versions of OS X, and push users to the latest version.

“Fixing buffer overflows and similar is one thing (they usually back port that kind of issues), but fixing architectural issues like rootpipe will mean more work in dev and verification,” the researcher told SecurityWeek. “I think (and hope) Apple might be reconsidering, knowing that users of older versions are upset and that even low-privileged guest accounts on Mavericks can be used to exploit the issue and become root.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.