Apple has been hit by a second unpatched “privilege escalation” bug in as many months, allowing an attacker to take complete control of a computer by abusing a flaw in the operating system’s memory handling.
The bug, which is similar to the DYLD vulnerability revealed in late July, affects versions of Mac OS X from 10.9.5 through to the recently released 10.10.5. It does not affect the beta versions of the next version of Mac OS X, called El Capitan, which is due out this autumn. As a privilege escalation bug, it opens up the possibility of malware bypassing security measures that are put in place to limit the abilities of malicious code, which somehow ends up running on a users’ computer.
Discovered by a researcher named Luca Todesco, who goes by the description of 18-year-old Italian on Twitter, the bug was publicly disclosed on Sunday without giving Apple advance notice to fix the error – something which has earned Todesco no small amount of criticism.
One commenter on Apple Insider summed up the prevailing opinion: “Not notifying the software author first, and giving them some time to release a patch before public disclosure, is pure asshattery, in my opinion.”
July’s DYLD bug, which was similarly released without giving Apple advance warning, was patched within the month, but it looks like users will have to wait for El Capitan to see this latest flaw fixed.
Apple did not respond to a request for comment on this story.
