Menu
Italian teen finds two zero-day vulnerabilities in OS X

Italian teen finds two zero-day vulnerabilities in OS X

The exploit he developed yields root access

An Italian security researcher says he's found two zero-day vulnerabilities in OS X.

An Italian security researcher says he's found two zero-day vulnerabilities in OS X.

An Italian teenager has found two zero-day vulnerabilities in Apple's OS X operating system that could be used to gain remote access to a computer.

The finding comes after Apple patched last week a local privilege escalation vulnerability that was used by some miscreants to load questionable programs onto computers.

Luca Todesco, 18, posted details of the exploit he developed on GitHub. The exploit uses two bugs to cause a memory corruption in OS X's kernel, he wrote via email.

The memory corruption condition can then be used to circumvent kernel address space layout randomization (kASLR), a defensive technique designed to thwart exploit code from running. The attacker then gains a root shell.

The exploit code works in OS X versions 10.9.5 through 10.10.5. It is fixed in OS X 10.11, the beta version of the next Apple OS nicknamed El Capitan.

Todesco, who said he does security research in his spare time, said he notified Apple of the problems "a few hours before the exploit was published."

"This is not due to me having issues with Apple's patch policies/time frames, as others have incorrectly reported," he wrote.

He also developed a patch called NULLGuard, which he's included in the GitHub material. Since he does not have a Mac developer certificate, he wrote that he can't distribute an easy-to-install version of the patch.

Apple officials could be not immediately reached for comment.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags ApplesecurityExploits / vulnerabilities

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments