Oh dear.
Only days after Apple released OS X 10.10.5, fixing a host of security flaws, a further serious (and as yet unpatched) vulnerability has been made public, by an Italian teenager who says he researches security holes in his spare time.
Luca Todesco has released details of a zero-day vulnerability in OS X 10.9.5 and OS X 10.10.5, the latest shipping version of Apple’s desktop and laptop operating system.
According to MacIssues, the problem identified by Todesco lies in how OS X handles NULL pointers in programs, opening an opportunity for malicious code to bypass the operating system’s defenses.
Fortunately, the attack does depend upon unsuspecting users downloading and agreeing to execute malicious code on their computer — although, as we all know, malicious hackers are experts at using social engineering and compelling lures to trick the unwary into making unwise decisions.
Some have already criticised 18-year-old Todesco for making available proof-of-concept code that exploits the unpatched OS X vulnerability, but on Twitter he appears to be unrepentant:
"considering filing a lawsuit against Todesco for his gross negligence in releasing the how-to for this exploit" – guns don't kill people
— qwertyoruiop (@qwertyoruiopz) August 16, 2015
Once again, I’m inclined to believe that Apple might get more assistance from independent vulnerability researchers if it were to offer a financial reward for the responsible disclosure of bugs, rather than take its current — somewhat aloof — approach.
It remains to be seen whether Apple will release a patch for this latest vulnerabilities, or attempt to wait until OS X 10.11 El Capitan ships (the beta version reportedly already thwarts this particular attack).
Personally, my hope is that they will do the right thing and protect users of their current official shipping version rather than leave them in the lurch until they are ready to upgrade.
Meanwhile, the Thunderstrike 2 vulnerability continues to remain unpatched by Apple.
One hopes that the fix for that — like Todesco’s zero-day vulnerability — will be coming sooner rather than later.
Apple, please get the bugs fixed. Then sort out your relationship with the vulnerability researchers.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: