Apple squashes serious security bug with update to Mac OS X

The latest version of Mac OS X -- 10.10.5 -- fixes a serious security hole that was first reported in early July.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
2 min read

Apple's latest OS X update fixes a nagging security hole. Apple

Apple has fixed a bug in its desktop operating system that could have given hackers access to the entire OS.

Released on Thursday, Mac OS X 10.10.5 resolves scores of holes and technical glitches. But one serious bug in particular was squashed along with the rest. The vulnerability in an environment variable known as DYLD_PRINT_TO_FILE in Apple's OS X was considered serious because it enables hackers to remotely run a program on a Mac using administrator rights, which opens up wide access to the entire operating system. The vulnerability had already been exploited "in the wild," or in the real world, according to the Guardian, with at least one adware installer taking advantage of it.

The Mac OS has long enjoyed a reputation as more secure than Windows. But just like Microsoft, Apple has to do its fair share of patching with regular updates and bug fixes. The latest update resolves more than 100 different bugs affecting Bluetooth, QuickTime, the Mac OS X kernel, the Mac's Notification Center and other features. In the past, Apple has sometimes been slow about patching individual bugs, whereas Microsoft rolls out a series of patches on a monthly basis through its Patch Tuesday program.

Apple's details on the bug fix, which is available for OS X Yosemite versions 10.10 through 10.10.4, said that with the vulnerability, "a local user may be able to execute arbitrary code with system privileges." Apple noted that the problem was due to a "path validation issue" in DYLD and that the issue was addressed through "improved environment sanitization." Apple did not immediately reply to CNET's request for a layman's explanation of these terms.

The DYLD bug was first reported by security researcher Stefan Esser. In a tweet posted late Thursday, Esser said: "Hmm so Apple released 10.10.5 fixed some bugs and made another security problem worse than before." Esser didn't reveal which security problem was allegedly made worse. But he reportedly has advised Mac users not to uninstall his SUIDGuard kernel extension, which guards against attacks that take advantage of the DYLD hole, according to security news site SecurityWeek.