Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Little Snitch Flaw Exposed Mac Systems to Attacks

A serious vulnerability in the Mac OS X firewall Little Snitch could have been exploited by hackers to gain root privileges on a system or execute arbitrary code in the context of the kernel.

A serious vulnerability in the Mac OS X firewall Little Snitch could have been exploited by hackers to gain root privileges on a system or execute arbitrary code in the context of the kernel.

Patrick Wardle, director of research at Synack, discovered that Little Snitch was plagued by a heap overflow that allowed a local user or an unprivileged piece of malware to escalate their privileges to root or run unsigned code in the kernel.

The vulnerability was reported to the developer of Little Snitch, Objective Development, on January 17 and it was patched 11 days later with the release of version 3.6.2. The company told SecurityWeek that versions released in January and later are not affected and its server logs indicate that a vast majority of users have updated their installations. The vendor also pointed out that there is no evidence that the vulnerability has been exploited in the wild.

“Patrick is a long-time Little Snitch user and we are in contact at regular intervals,” said Objective Development representatives. “We appreciate not only what he is doing as a developer but also his contributions to the entire mac community.”

While the vulnerability was addressed quickly by Objective Development, Wardle told SecurityWeek he was displeased that the company only described the flaw in the release notes as a “rare issue that could cause a kernel panic.” The researcher believes users are less likely to patch their installations if the severity of an issue is downplayed.

“The company needs a better procedure to handle reported security vulnerabilities so that their users will be made aware of any such reported issues so they can update and protect themselves,” Wardle noted. “‘Hiding’ a fix for a reported exploitable kernel bug in the release notes as a ‘rare issue that could cause a kernel panic’ borders on dishonestly – IMHO.”

In addition to the kernel heap overflow vulnerability, Wardle also identified several ways to bypass the firewall, including by abusing rules and process-level trust, and simply by simulating user interaction.

Advertisement. Scroll to continue reading.

“[The bypass methods] afford an attacker or malware the ability to utilize the network (e.g. connect to a command and control server, etc) in an uninhibited manner without generating any alerts from the firewall,” Wardle said.

The researcher believes Little Snitch is a decent product and it even uses it himself. However, he noted that it is trivial to bypass.

“Users should be aware that if an attacker or piece of malware wants to bypass it, they easily could. This is true of most security products – so I’m not trying to single out Little Snitch. Just something users should be aware of,” Wardle explained. “However Little Snitch is really really easy to bypass – kinda like Windows firewall products were 10 years ago. I’d expect a little more from a paid security product.”

This is not the first time Wardle has found vulnerabilities in an OS X product. The researcher has managed to find several methods to bypass Apple’s Gatekeeper security feature.

Earlier this year, the expert released RansomWhere?, a tool designed to generically detect ransomware attacks on OS X systems.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.