A newly discovered flaw in macOS could allow anyone or anything with access to a general user account to take control of a computer.
The flaw is not entirely new. It was first revealed last week as a vulnerability in the command "sudo," which is present in almost all Unix-like operating systems, including Linux and macOS.
Yesterday (February 2), security researchers demonstrated that the flaw actually works in macOS, including the latest version of Big Sur released on Monday (February 1).
The sudo flaw, dubbed "Baron Samedit" by its discoverers, grants common user accounts privileges that they should not have. Anyone or any malware that has access to a Mac, whether in person or over a network, can use Baron Samedit to take over the machine.
Sudo stands for "superuser do," and is usually used by users who already have administrative privileges to gain temporary "root" or "superuser" privileges to make changes to the operating system. The administrator user is prompted for a password after invoking the sudo command.
In theory, the Baron Samedit flaw can only be exploited by someone who already has an account on a Mac, Linux, or other Unix-derived machine.
In practice, however, it can be used by remote attackers who steal or crack user passwords over networks, including the Internet. It can also be used by malware that infects ordinary user accounts; you can read more about the Baron Samedit flaw and the resulting exploit mechanism here and here.
The Baron Samedit flaw had already been patched by several major Linux distributions, including Debian, Red Hat, and Ubuntu, before the vulnerability was announced on January 26.
Apple did not join them, probably because Apple developers were not aware that macOS might be affected. In fact, there are obstacles that prevent the exploit from functioning as is on macOS. [However, Matthew Hickey, CEO and co-founder of information security consulting firm Hacker House, showed yesterday on Twitter that a couple of simple command line entries remove that obstacle and allow the Baron Samedit exploit on macOS to remove that obstacle and allow the Baron Samedit exploit on macOS.
Hickey called it "one of the most devastating and pervasive LPEs [local privilege elevation] in modern UNIX/Linux history."
Will Doman of the Computer Emergency Response Team Coordination Center (CERT-CC), a research facility at Carnegie Mellon University in Pittsburgh that is funded by the US Department of Defense, confirmed Hickey's findings shortly after confirmed that.
It was well-known Mac hacker Patrick Wardle who confirmed that MacOS Big Sur 11.2 was vulnerable.
Hickey's discovery was quickly turned into proof-of-concept code and uploaded to Pastebin for all to see.
So what can we do to protect ourselves from this problem? According to Hickey, this flaw cannot be fixed, even by users with administrative privileges who use sudo properly.
We will have to wait until Apple fixes this in Big Sur and the two previous versions of macOS, 10.15 Catalina and 10.14 Mojave updates. It is possible that the patch will be applied to earlier versions that are not officially supported, as Apple has done in the past when fixing very serious bugs.
In the meantime, you should install and use the best Mac antivirus software without turning off your Mac until the patch arrives. Antivirus software won't prevent the jerk from sitting on your machine and logging in, but hopefully there are other ways to stop it.
Then stick to the official Mac App Store when installing new programs until Apple fixes this flaw.
Tom's Guide has reached out to Apple for comment on this issue and will update this article as soon as we hear back.
Comments