X

Apple to patch serious security hole in Mac OS X

The nasty bug, which could give hackers access to the entire operating system, is set to be fixed in the next security update.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
See full bio
Lance Whitney
3 min read

Apple has a fix ready for the latest bug in Mac OS X. Apple

Apple will soon push out a fix for a new security bug that's affected users of its Mac operating system.

Reported in early July, the bug in the OS X environment variable DYLD_PRINT_TO_FILE is considered a serious hole as it could allow hackers to remotely run a program on a Mac using administrator rights, which potentially opens up wide access to the entire operating system. The vulnerability has already been exploited "in the wild," according to the Guardian, leading to at least one adware installer taking advantage of it to further its capabilities.

In response, Apple will fix the bug in the next update to its Mac OS X, specifically OS X 10.10.5. The initial beta of the next security update did not contain the patch, the Guardian said, leading to some concern that it might not be resolved until El Capitan is released in the fall.

Apple has long enjoyed a reputation as a more secure operating system than Windows. And, yes, Windows does get bitten by a fair number of bugs, forcing Microsoft to roll out patches and fixes on a regular basis. But Apple's Mac OS is hardly immune from security flaws. Bugs have popped up in the past, including the "="" os="" x="" security="" hole"="" shortcode="link" asset-type="article" uuid="06bec3e1-a5ca-11e3-a24e-d4ae52e62bcc" slug="apple-finally-fixes-gotofail-os-x-security-hole" link-text="so-called " section="news" title="Apple finally fixes 'gotofail' OS X security hole" edition="us" data-key="link_bulk_key" api="{"id":"06bec3e1-a5ca-11e3-a24e-d4ae52e62bcc","slug":"apple-finally-fixes-gotofail-os-x-security-hole","contentType":null,"edition":"us","topic":{"slug":"tech-industry"},"metaData":{"typeTitle":null,"hubTopicPathString":"Tech Industry","reviewType":null},"section":"news"}"> in April 2014, "="" or="" "bash"="" bug="" from="" last="" september"="" shortcode="link" asset-type="article" uuid="44bfe7ef-2a26-4e9e-8109-caed12ff3304" slug="apples-shellshock-patch-incomplete-say-experts" link-text="the " section="news" title="Apple's Shellshock patch for Macs is incomplete, says security researcher" edition="us" data-key="link_bulk_key" api="{"id":"44bfe7ef-2a26-4e9e-8109-caed12ff3304","slug":"apples-shellshock-patch-incomplete-say-experts","contentType":null,"edition":"us","topic":{"slug":"cybersecurity"},"metaData":{"typeTitle":null,"hubTopicPathString":"Tech^Services and Software^Online^Cybersecurity","reviewType":null},"section":"news"}"> and three severe vulnerabilities uncovered by Google's Project Zero security team in January. In the past, Apple has sometimes been slow about patching bugs, raising concerns among security experts and OS X users.

But the latest beta for the next update to OS X 10.10.5 does include the fix for the DYLD exploit, according to security researcher Stefan Esser, who first reported the bug. On July 31, Esser tweeted: "Looks like dropping DYLD_PRINT_TO_FILE exploit resulted in Apple having fixed it in OS X 10.10.5 beta '2' - suddenly they can work 'faster.'"

Sources close to the matter also confirmed to CNET that the latest public beta of OS X 10.10.5, created on July 30, does come with the necessary patch. Typically, a public beta of an update to OS X takes around two weeks before it reaches Mac users. So OS X users should expect the fix to roll out in the next week or so.

On Tuesday, Apple also updated its X Protect system, a security feature that filters out malware, to catch any malware that taps into the DYLD vulnerability.

Apple has taken other steps to prevent further exploits of the hole, the Guardian said. The company will now revoke the credentials of any developer who exploits the vulnerability and will place any app that taps into the bug on its list of malware. But Mac users still need to make sure they're protected against the bug until the actual security patch is released.

That naturally raises the topic of whether or not you should run anti-malware software on a Mac. Many Mac users have contended that security software is not necessary as the Mac is a secure operating system, especially with such features as XProtect. But given that bugs do crop up from time to time, and Apple isn't always quick on the draw to squash them, installing a good security program on your Mac may be a good idea at this point.

Updated at 10:17 a.m. PT with more details and our own confirmation of the patch.