Double trouble for Apple as two OS X vulnerabilities surface: Rootpipe and Wirelurker

6 Nov 2014

Apple is facing the tricky situation of dealing with two potentially damaging vulnerabilities that surfaced online recently.

‘Rootpipe’, discovered by Swedish hacker Emil Kvarnhammar, affects OS X Yosemite.

Upon finding the flaw, TrueSec’s Kvarnhammar contacted Apple and the IT giant requested that he keep details of the issue quiet until mid-January – presumably allowing time for a patch.

Kvarnhammar said, “The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It’s important that they have time to patch, and that the patch is available for some time.”

Kvarnhammar first found the issue in previous versions of Apple’s OS around mid-October.

“It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” explained Kvarnhammar. The Swede wanted to show a flaw in Mac OS X, “but relatively few have been published.”

“There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I was a bit dejected but continued to investigate. There were a few small differences [in later releases] but the architecture was the same. With a few modifications I was able to use the vulnerability in the latest Mac OS X, version 10.10.”

Wirelurker, a well-travelled threat

Meanwhile Wirelurker has been around a little longer, brought into the mainstream by travelling on the back of certain versions of pirated Chinese software, which installs the malware upon running the pirated product.

“Wirelurker then hangs around the infected system until the user plugs in a mobile device with a USB cable, at which point it scrapes personal data and attempts to install malicious copies of apps,” says the Guardian.

“If the user’s device is jailbroken – hacked, to let them install software without Apple’s permission – then it steals far more information, such as old iMessages and the contents of the user’s address book.”

“WireLurker is unlike anything we’ve ever seen in terms of Apple iOS and OS X malware,” says Ryan Olson, the intelligence director of Palo Alto Networks, which discovered the malware. “The techniques in use suggest that bad actors are getting more sophisticated when it comes to exploiting some of the world’s best-known desktop and mobile platforms.”

Gordon Hunt was a journalist with Silicon Republic