Failed Apple Rootpipe Fix Leaves Backdoor On All Macs, Researchers Claim

When Apple released the latest version of Mac OS X Yosemite earlier this month, it claimed to have fixed a significant flaw, a backdoor named Rootpipe, that had been resident on its computers since 2011. But, due to some uncodified Apple policy on patching, anyone running an operating system below 10.10 remained vulnerable, leaving tens of millions with documented weaknesses in their PCs. And, according to researchers, Apple botched the patch anyway, so all Mac machines remain vulnerable to Rootpipe attacks.

Patrick Wardle, a former NSA staffer who now heads up research at security firm Synack, said he was on a flight when he discovered he was still able to exploit the Rootpipe vulnerability, which essentially opened up a path to the highest privilege level, known as root access.

Apple put additional access controls to stop attacks, but Wardle’s code was still able to connect to the vulnerable service and start overwriting files on his Mac. “I was tempted to walk into the Apple store this [afternoon] and try it on the display models - but I stuck to testing it on my personal laptop (fully updated/patched) as well as my OS X 10.10.3 [virtual machine]. Both worked like a charm,” Wardle told FORBES over email. In a blog post, he’d said his exploit was “a novel, yet trivial way for any local user to re-abuse Rootpipe”.

He would not reveal his attack code, however, which he has passed on to Apple, in the hope the firm will issue a full and unbreakable fix in the coming months. The video below shows his hack in action.

When Apple was initially told about the Rootpipe backdoor in October last year, it took until April to address the issue, having originally planned a January fix. Though the attack requires a hacker to have obtained local privileges, most likely via an exploit of other software sitting on Macs, Apple has still failed to patch an issue that it had evidently struggled to eradicate in the first place.

A separate researcher, Pedro Vilaça, told FORBES over Twitter  the Rootpipe fix was "doomed since it was released", saying there were a "tonne of ways to bypass it due to the wrong fix design", though didn't go into more detail. Vilaça has uncovered numerous Mac OS X issues in recent years.

Apple had not responded to a request for comment at the time of publication.

Apple security practices have been flagged repeatedly in recent months. Not only was it criticised for purposefully leaving Rootpipe on masses of Mac machines, its attempts to protect iOS devices were also blasted by German researcher Stefan Esser. During the Syscan conference in Singapore, Esser claimed repeated attempts by Apple to close off iOS vulnerabilities failed, leaving them open to so-called “jailbreaks”, where users can release their phone from Apple’s control to install whatever software they wanted on an iPhone or other iDevice.