by Jim Lynch

OS X has hidden backdoor API for root privileges

Apr 10, 201512 mins
Computers and PeripheralsMacOSMobile

In today's Apple roundup: Why you should update to OS X 10.10.3 right away. Plus: Apple Watch sells out in minutes. And Mac sales up nine percent in the U.S

OS X’s hidden backdoor API for root privileges

No computer operating system is perfect, not even OS X. A recently disclosed security vulnerability puts OS X users at risk from a hidden backdoor. Fortunately, Apple has fixed this in the most recent version of OS X. All OS X users should upgrade to version 10.10.3 immediately to fix this problem.

Gareth Halfacree reports for Bit-Tech:

Apple users are being advised to upgrade to the latest OS X release, version 10.10.3, as soon as possible following the disclosure of a hidden API which allows back-door access to a system-level account.

Apple’s OS X is frequently touted by its fans as inherently more secure than Microsoft’s Windows, and while there is some argument to be made that its adoption of POSIX-compliant permissions and other Unix-inspired security systems make it a harder target it’s a fact that any complex software stack is vulnerable to attack.

Security researcher Emil Kvarnhammar has proven that with the publication of a hitherto unknown back-door API in the operating system which allows any user to break free of a restricted account and gain system-level privileges.

More at Bit-Tech

You can also read Emil Kvarnhammar’s original and very detailed blog post on TrueSec about this flaw in OS X’s security safeguards:

The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system.

The intention was probably to serve the “System Preferences” app and systemsetup (command-line tool), but any user process can use the same functionality.

Apple has now released OS X 10.10.3 where the issue is resolved. OS X 10.9.x and older remain vulnerable, since Apple decided not to patch these versions. We recommend that all users upgrade to 10.10.3.

More at TrueSec

TrueSec readers shared their thoughts:

Gareth Davies: “What’s the view on delaying public disclosure on such a serious security flaw? I understand the reasons for agreeing that Apple should have more time to fix it but shouldn’t a $770 billion company have worked more quickly on this one? If a white hat found this it’s possible, I guess, that less principled parties were actively using it having discovered it independently.”

Chris Baldwin: “Great work. I am an amateur OS X security enthusiast, due to the fact that I have been dealing with this exact situation for years now, on multiple systems. All of my knowledge is self taught through research on how OS X works, and researching the error messages that were telling me something just wasn’t right. In reading your exploit, I found a number of similarities to my situation. I think this may finally put to rest an issue that no one, including apple have been able to help with, and which I have been in able to solve on my own. I believe there are far more people compromised than anyone realizes because of this. I only know because I have spent so much time chasing it personally. Thank you for the work, finding this, and getting it patched.”

John Car: “My family are all using Apple machines with 10.9.5 for various reasons. What sort of access is required to one of them, for this exploit to be used by attackers? All our machines are behind a firewall, but obviously some services are open to our machines. What service should be blocked at the firewall to prevent this exploit being used?”

Emil Kvarnhammar: “This is a local privilege escalation. For a successful attack, attackers would need the ability to execute code. This can be achieved through a vulnerability in the browser, an installed malicious application, documents with macros etc.”

Micke: “Thank you Emil for sharing the details in such an approachable way, even for a developer like me not working exclusively with security or reverse engineering. I think security is a really interesting field that I would like to approach much more, and articles like this one really helps me to know what to expect and how to learn more. Great work!”

More at TrueSec

Apple Watch sells out in minutes

Pre-orders for the Apple Watch started today, and stock sold out in minutes. Shipping times for the Apple Watch have already been pushed back four to six weeks. So much for those who doubted the appeal of the Apple Watch.

AppleInsider reports on sales of the Apple Watch:

Apple Watch Sport was the first to go, with delivery times slipping to “4-6 Weeks” less than 5 minutes after pre-orders opened in some locations. Stainless steel models quickly followed, though some of the more expensive versions remained available for launch day delivery for over an hour.

Edition models skipped the 4-6 week window entirely, dropping directly to June, where nearly all models now stand.

The Watch is an extraordinarily small and complex device, using many components that have never made their way into a shipping Apple product before. Sources told AppleInsider last month that Apple faced production issues with the wrist-worn device “at every stage of the development.”

While some believe that Apple is purposefully withholding Apple Watch stock to drive an increase in perceived demand, that remains an unlikely possibility.

More at AppleInsider

AppleInsider readers shared their thoughts about pre-orders for the Apple Watch:

AppleZilla: “Got our order in right after sales went live. Ordered a couple of sport bands along with our steel banded watches, but it looks like those will not arrive until after the Watch.

Blue and Black: 2-4 weeks

White: May

Hopefully they step up the production on the sport bands.”

Woodyplant: “I was one of the people hitting refresh starting five minutes before launch. I also had the watch that I wanted saved as a favorite. With all of this preparation, my ship date for the 42mm space black stainless steel watch is in June. The process may have taken three minutes and by then the orders were back logged!

I do remember that the same thing happened with my 6+ and I got that on time so there is hope. Perhaps Apple is making us swallow the pill of disappointment first just in case there are going to be delays. Mine ships June but if I get it earlier I am naturally happier than if it is a few days late from the given date.”

Mac_128: “Judging by these delays, I’m more inclined to believe that Apple has chosen a more build to order model, than massive sales. No doubt the pre-orders are going to be massive, but I think the inventory is minimal, and they will be assembling to meet demand. Think of it as the actual launch day is the 24th. Supplies will still be just as constrained by then, but by giving themselves a two week head start, they will come much closer to meeting actual demand with much less inventory on hand.”

Thompr: “I’m not believing that it was crushing demand that caused the delayed shipping for certain models. I mean, sure, maybe the demand was very high. But I know for a fact that the model I purchased started out at 4-6 weeks from the get-go, and it never changed from there. My interpretation…

Apple either had a hard time ramping up all models for launch day, or as someone else suggested, they are starting out with a build-to-order model because they don’t know how many of each SKU to start with until they see the tendencies.”

Ecats: “With popular models selling out online in less than 30 minutes, queuing would guarantee missing out on a launch day delivery. For shoppers to stand a chance they’d have to buy online at home, thus the queues weren’t ever going to be massive.

Savvy shoppers knew one couldn’t pre-order in store; which is something that Apple announced because it realised that demand was too large and anyone who waited for a try-on session would end up with a several-month long shipping delay, that would be a huge let down after having just handled the device.

The ship dates are now getting extreme, certain edition models now showing August deliveries, and some models simply being listed as “Sold Out” in China.

If analysts are thinking this is a bad launch, they need to find a new job.”

More at the AppleInsider Forum

The Verge reports on shopping for an Apple Watch in Tokyo, Paris and London:

So, Apple’s retail strategy for the Watch is a little different to other products. You can check it out in Apple’s own stores, of course, but the company is experimenting with other partners as well — places that never would have sold Apple products before. And the first phase of this occurred today, with pop-up Watch shops opening in major department stores in three fashion-forward cities: Tokyo, Paris, and London.

We were at all three. Here’s what we saw.

Galeries Lafayette is enormous, and it’s very expensive. The central part of the store is a series of circular floors that look down on an open space full of luxury bags and perfumes. Hovering above it all is an ornate stained glass dome. It’s the kind of place that attracts the rich and the haut couture fashionable, which is the demographic Apple seems to be targeting. But much like its September preview event at the store Colette, a mecca of all things hipster-chic, the people who gathered this morning weren’t exactly fashionistas. The clientele was predominantly male, and it was at times difficult to differentiate journalists from customers.

Once the initial wave of excitement subsided, things settled into a more normal retail experience. If it weren’t for the luxury goods and art deco architecture surrounding it, the carpeted space could’ve easily been part of any other Apple Store — full of clean edges and white paint. It’s hard to say whether the Paris event was a “success.” It certainly wasn’t as chaotic as I expected, and no one I spoke with said the preview had convinced them to buy a smartwatch. Instead, it seems like Apple just reaffirmed decisions that its most loyal customers had already made.

More at The Verge

Mac sales up nine percent in the U.S.

While the Apple Watch may be getting most of the media attention, Apple’s Mac computers are doing quite well in terms of sales. In the first quarter of 2015, Macs gained nine percent in the U.S. alone.

AppleInsider reports on the positive trend in Mac sales:

In its latest preliminary estimates release published Thursday, Gartner said Apple shipped 1.67 million Macs in the U.S. to capture 12 percent of the market, an 8.9 percent year-over-year gain.

With its quarterly performance, Apple retained its spot as the country’s third-largest PC vendor, falling short of No. 1 HP’s 26.1 percent and second place Dell’s 23.2 percent. For the quarter ending in March, HP shipped 3.63 million units, while Dell shipped 3.2 million. Dell was the only top-five PC maker to see negative growth of 3.8 percent year-over-year.

More at AppleInsider

The Gartner site has more details about PC shipments:

Worldwide PC shipments totaled 71.7 million units in the first quarter of 2015, a 5.2 percent decline from the first quarter of 2014, according to preliminary results by Gartner, Inc.

“The PC industry received a boost in 2014 as many companies replaced their PCs due to the end of Windows XP support, but that replacement cycle faded in the first quarter of 2015,” said Mikako Kitagawa, principal analyst at Gartner. “However, this decline is not necessarily a sign of sluggish overall PC sales long term. Mobile PCs, including notebooks, hybrid and Windows tablets, grew compared with a year ago. The first quarter results support our projection of a moderate decline of PC shipments in 2015, which will lead to a slow, consistent growth stage for the next five years.

“Desk-based PC shipments declined rapidly, with business desk-based PCs being impacted the most. Mobile PCs are being driven by a separate underlying replacement cycle, which led mobile growth in the first quarter. PC replacements will be driven by thin and light notebooks with tablet functionality. Our early study suggests strong growth of hybrid notebooks, especially in mature markets, in 1Q15.”

More at Gartner

AppleInsider readers weren’t shy about sharing their thoughts about the Mac’s positive sales performance:

TheWhiteFalcon: “…Jobs’s truck analogy still holds. Most people don’t need trucks, and while the best selling single vehicle in America is everyone’s favorite creation from Dearborn, as a whole cars outsell trucks big time. Likewise, some will continue to buy PC’s because they need them (personally for writing I still need a full-fledged multitasking OS, but I don’t need new hardware for that), some will because they just like them, but most won’t anymore.”

Brucemc: “If you look at the broader “mobile computing” market, including the appropriate smart phones, tablets and mobile PC’s, Apple has both the largest unit share, and the overwhelming amount of profit in the industry. That being said, there is still a lot of unit share out there to gain, and while Apple is getting the top end of that, more & more are entering that top end each year.”

DarelRex: “Gartner is careful to lump Apple’s figures in with the rest, when calculating the “Total” of 1.3% industry decline; i.e. there is no row in their chart for “Windows PCs.” To help obscure this trick, they call the Mac row “Apple,” as if Apple is just another maker of Microsoft crap along with HP, Dell, etc.

To get the Windows figure, simply subtract the Mac numbers from the Total numbers, do the math, and voila: Windows PCs experienced a 2.6% decline, double the loss of Gartner’s obfuscational “Total.”

More at AppleInsider Forum

Did you miss a roundup? Check the Eye On Apple home page to get caught up with the latest news about Apple.