Incident: Apple Mac OS X Vulnerabilities: Privilege Escalation and Firmware Exploits

Published Date: 2015-08-05

Postmortem Analysis
Timeline 1. The software failure incident happened in August 2015. [39005, 39007]
System 1. Mac OS X operating system 2. DYLD component 3. Thunderstrike 2 vulnerability 4. Firmware of Mac computers 5. Thunderbolt devices
Responsible Organization 1. Apple - Apple was responsible for causing the software failure incident by having serious vulnerabilities in its Mac OS X operating system, such as the DYLD vulnerability and Thunderstrike 2 bug, which raised concerns over the security of its desktop and laptop computers [39005, 39007].
Impacted Organization 1. Apple users were impacted by the software failure incident reported in the news articles [39005, 39007].
Software Causes 1. A privilege escalation bug in the Mac OS X operating system, specifically in a component known as DYLD, which allowed a program to run as an administrator without requiring the user's password [39005]. 2. The Thunderstrike 2 vulnerability, which could allow attackers to overwrite a computer's firmware using a malicious webpage, creating a potential worm that could spread from computer to computer [39005]. 3. A weakness in the Mac OS X operating system that allowed a malicious program to run as the administrator of the computer, bypassing Apple's security features [39007].
Non-software Causes 1. Lack of timely patching and fixing of known vulnerabilities in the Mac OS X operating system [39005, 39007] 2. Delay in addressing security flaws even after being informed about them months in advance [39007] 3. Release of exploit details without giving due notice to Apple, leading to potential misuse by malicious actors [39007] 4. Presence of weaknesses in the firmware of computers, including Macs, which could be exploited to spread malware [39007]
Impacts 1. The software failure incident involving the DYLD vulnerability in Mac OS X had the impact of allowing a program to run as though it has administrator access without needing the user's password, leading to concerns about security and exploitation by adware installers [39005]. 2. The Thunderstrike 2 vulnerability, which could allow attackers to overwrite a computer's firmware using a malicious webpage, raised concerns about the potential creation of a worm that could spread from computer to computer without human intervention [39005]. 3. The vulnerabilities in OS X introduced Mac malware back into the conversation, challenging the long-standing belief that Macs were relatively safe from malware due to fewer security holes compared to Windows [39007]. 4. Researchers discovered a new adware installer exploiting the privilege escalation vulnerability, allowing the adware to embed itself into the operating system and install without requiring the user's password, highlighting the real-world impact of the software failure incident [39007]. 5. The proof-of-concept attack using the Thunderstrike 2 vulnerability demonstrated the potential for a worm to spread from MacBook to MacBook directly, emphasizing the need for awareness of attacks at the firmware level to prevent system subversion [39007].
Preventions 1. Timely Patching: The software failure incidents in the Mac OS X operating system could have been prevented if Apple had promptly patched the identified vulnerabilities in their current versions of the operating system [39005, 39007]. 2. Responsible Disclosure: The software failure incidents could have been mitigated if security researchers followed responsible disclosure practices by informing Apple about the vulnerabilities and giving them sufficient time to address the issues before making them public [39007].
Fixes 1. Apple needs to release a security update to patch the serious "privilege escalation" bug in its Mac OS X operating system, specifically in the DYLD component [39005]. 2. Apple should address the Thunderstrike 2 vulnerability by providing a comprehensive fix to prevent attackers from overwriting a computer's firmware using a malicious webpage [39005]. 3. Apple should promptly address the unpatched vulnerabilities in the firmware of Mac computers to prevent potential attacks that could spread from one MacBook to another [39007].
References 1. Mac security expert Rich Mogull who covers the platform on the TidBITS news site [39005] 2. German coder Stefan Esser who discovered the exploit [39007] 3. Researchers from Malwarebytes [39007] 4. Researchers at the Black Hat security conference in Las Vegas [39007] 5. Researcher Xeno Kovah who spoke to Wired [39007]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident having happened again at one_organization: - Apple faced two serious vulnerabilities in its Mac OS X operating system, namely the DYLD vulnerability and Thunderstrike 2 bug [39005]. - The DYLD vulnerability allowed a program to run with administrator access without requiring the user's password and was exploited by at least one adware installer [39005]. - Thunderstrike 2, which could allow attackers to overwrite a computer's firmware using a malicious webpage, was partially patched in Mac OS X 10.10.4 but the most notable part of the vulnerability remained unfixed [39005]. - These vulnerabilities raised concerns about Apple's security reputation and its ability to address such issues promptly [39005]. (b) The software failure incident having happened again at multiple_organization: - The articles do not mention similar incidents happening at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the articles. The vulnerabilities in Mac OS X, such as the DYLD vulnerability and Thunderstrike 2, highlight failures introduced during system development and updates. The DYLD vulnerability allowed a program to run with administrator access without user input, leading to concerns about security breaches [39005]. Additionally, the Thunderstrike 2 vulnerability, which could create a worm spreading from computer to computer, showcased a flaw in the system design that could be exploited by attackers [39005]. (b) The software failure incident related to the operation phase is also apparent in the articles. The exploitation of vulnerabilities like the privilege escalation bug, which allowed malicious programs to run as administrators, demonstrated failures introduced by the operation or misuse of the system [39007]. The article also mentioned an adware installer that embedded itself into the operating system without requiring the user's password, indicating operational weaknesses that could be exploited [39007].
Boundary (Internal/External) within_system (a) The software failure incident discussed in the articles is primarily within the system. The vulnerabilities and bugs mentioned, such as the DYLD vulnerability and Thunderstrike 2, are internal issues within the Mac OS X operating system that allow for privilege escalation and firmware manipulation [39005, 39007]. These vulnerabilities are exploited by malicious programs and adware installers to bypass security features and gain unauthorized access to the system. Apple is working on patches to address these internal vulnerabilities and prevent further exploitation from within the system.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The Thunderstrike 2 vulnerability allows attackers to overwrite a computer’s firmware using a malicious webpage, potentially creating a "worm" that can spread from computer to computer without human intervention [39005]. - The Thunderstrike 2 worm spreads through Thunderbolt devices, which are rarely used outside of niche applications and are shared between multiple computers even less frequently [39005]. - The DYLD vulnerability in Mac OS X allows a program to run as though it has administrator access without needing the user to input their password, and has been exploited by at least one adware installer [39005]. - The Thunderstrike 2 worm, although a theoretical threat, is considered less severe due to the limited use of Thunderbolt devices and the interim measures taken by Apple to prevent further exploitation of the DYLD vulnerability [39005]. (b) The software failure incident occurring due to human actions: - Stefan Esser, the German coder who discovered the privilege escalation exploit in Mac OS X heavily criticized Apple for not fixing the flaw in the current version of Mac OS Yosemite or in the beta for the next Yosemite patch [39007]. - Esser mentioned that Apple was informed about the security problem months ago but only fixed it in the beta versions of the next operating system, Mac OS X El Capitan, leaving the current versions vulnerable [39007]. - Researchers from Malwarebytes discovered an adware installer exploiting Esser's bug, allowing the adware to embed itself into the operating system without requiring the user's password [39007]. - The researchers at the Black Hat security conference revealed an exploit that uses weaknesses in the firmware of computers, including Macs, which could be used to create a worm spreading from MacBook to MacBook directly [39007].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware can be seen in the vulnerability known as Thunderstrike 2, which allows attackers to overwrite a computer's firmware using a malicious webpage [39005]. This vulnerability involves exploiting weaknesses in the firmware of a computer, which is the embedded operating system responsible for low-level functions such as fans, power supply units, and USB ports. Additionally, Thunderstrike 2 can create a "worm" that spreads from computer to computer, particularly through hardware connections like Thunderbolt devices and Apple's ethernet adapters [39007]. (b) The software failure incident related to software can be observed in the DYLD vulnerability in Mac OS X, which allows a program to run with administrator access without requiring the user to input their password [39005]. This software vulnerability has been exploited by at least one adware installer to enhance its capabilities. Another software vulnerability involves a privilege escalation exploit discovered by a German coder, which allows a malicious program to run as the administrator of the computer, bypassing Apple's security features [39007].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident discussed in the articles is primarily malicious in nature. Both articles [39005, 39007] highlight serious vulnerabilities in Apple's Mac OS X operating system that can be exploited by attackers to gain unauthorized access, escalate privileges, and potentially infect other systems. These vulnerabilities, such as the DYLD vulnerability and Thunderstrike 2 exploit, were discovered and criticized by security researchers for not being promptly patched by Apple, leading to concerns about the security of Mac computers. Additionally, the articles mention instances where these vulnerabilities have been exploited in the wild by adware installers, indicating malicious intent to exploit the weaknesses in the system for unauthorized activities.
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident related to poor_decisions: - The software failure incidents discussed in the articles are related to poor decisions made by Apple in terms of addressing security vulnerabilities in its Mac OS X operating system [39005, 39007]. - Apple was criticized for not fixing serious vulnerabilities in the current version of Mac OS X, Yosemite, and in the beta for the next Yosemite patch, despite knowing about the security problems for months [39007]. - Stefan Esser, the German coder who discovered one of the exploits, heavily criticized Apple for not patching the vulnerability in the current release of Mac OS X 10.10.4 or in the current beta of Mac OS X 10.10.5, while it was already fixed in the beta versions of the next operating system, Mac OS X El Capitan [39007]. - The delay in addressing these vulnerabilities and the decision to only patch them in future releases were seen as poor decisions that exposed users to potential security risks [39005, 39007].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident related to development incompetence is evident in the articles. In Article 39007, it is highlighted that a serious vulnerability in Mac OS X, allowing a malicious program to run as an administrator, was discovered by a German coder, Stefan Esser. Esser criticized Apple for not fixing the flaw in the current version of Mac OS Yosemite or in the beta for the next Yosemite patch, despite knowing about it for months [39007]. (b) The software failure incident related to accidental factors is also present in the articles. In Article 39005, it is mentioned that the DYLD vulnerability in Mac OS X allowed a program to run with administrator access without requiring the user's password. This vulnerability was already seen "in the wild," with at least one adware installer exploiting it to enhance its capabilities. Apple took interim measures to prevent further exploitation of the vulnerability, indicating that the issue was not intentional but accidental [39005].
Duration temporary (a) The software failure incident discussed in the articles seems to be more temporary rather than permanent. The articles mention specific vulnerabilities and bugs in the Mac OS X operating system that have been identified and partially patched or are in the process of being patched. For example, the DYLD vulnerability and Thunderstrike 2 bug are being addressed through patches and interim measures by Apple to prevent further exploitation [39005, 39007]. These vulnerabilities are not inherent to the software itself but are introduced by certain circumstances such as specific bugs or weaknesses that can be fixed through updates and patches. The fact that Apple is actively working on addressing these issues indicates that the software failure incident is more temporary in nature.
Behaviour omission, timing, value, other (a) crash: The articles do not mention any instances of a system crash where the software fails due to losing state and not performing any of its intended functions. (b) omission: The articles discuss vulnerabilities in Mac OS X that allow malicious programs to run as though they are administrators of the computer, bypassing security features and potentially embedding themselves into the operating system without requiring the user's password. This can be considered a failure due to the system omitting to perform its intended functions securely [39005, 39007]. (c) timing: The articles mention that Apple had already patched some vulnerabilities in the beta versions of its next operating system, Mac OS X El Capitan, but had not fixed the flaws in the current version of Mac OS, Yosemite, nor in the beta for the next Yosemite patch. This delay in addressing security vulnerabilities could be seen as a failure in timing, where the system performs its intended functions correctly but too late [39007]. (d) value: The articles highlight a serious "privilege escalation" bug in Mac OS X that allows a program to run as though it has administrator access without needing the user's password. This can be considered a failure due to the system performing its intended functions incorrectly, compromising security [39005, 39007]. (e) byzantine: The articles do not describe any instances of the system behaving erroneously with inconsistent responses and interactions, which would align with a byzantine failure. (f) other: The other behavior observed in the articles is the introduction of Mac malware due to serious vulnerabilities in OS X, leading to concerns about the security of Apple's desktop and laptop computers. This can be considered a failure in terms of system security and integrity, impacting user trust and safety [39005, 39007].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence no_consequence, theoretical_consequence, unknown (a) unknown (b) unknown (c) unknown (d) [39005] The software failure incident mentioned in the articles did not directly result in any property damage or loss of material goods, money, or data. (e) unknown (f) unknown (g) unknown (h) [39005] The articles discuss potential consequences of the software failure incidents, such as the risk of malware spreading and the vulnerabilities in the operating system. However, there were no real observed consequences mentioned in the articles. (i) unknown
Domain information, utilities, other (a) The software failure incident reported in the articles is related to the information industry. The incident involves vulnerabilities in Apple's Mac OS X operating system, which could potentially compromise the security of desktop and laptop computers used for information-related activities [39005, 39007]. (g) The incident also has implications for the utilities industry, as it involves vulnerabilities that could allow attackers to overwrite a computer's firmware using a malicious webpage. This could impact the security of power, gas, steam, water, and sewage services that rely on computer systems for operation [39005, 39007]. (m) Additionally, the software failure incident is relevant to the "other" category as it pertains to the broader technology industry. The vulnerabilities in the Mac OS X operating system highlight the potential risks associated with using technology in various sectors, emphasizing the importance of addressing security flaws to protect users across different industries [39005, 39007].

Sources

Back to List