A recently-discovered security flaw in OS X that allows the bad guys to gain root-level access to a Mac without requiring a administrator password, will be fixed in the final release of OS X 10.10.5, which is currently at the beta testing stage.
There is no word on exactly what steps Apple will take to mitigate the problem, or whether the company will issue security patches for older versions of OS X. The decision to include a patch in OS X 10.10.5 was first reported by The Guardian.
The installer reportedly gains root level permissions by modifying the OS X sudoers configuration file, leaving it vulnerable to installation of malware and adware.
The bug was discovered by researcher Stefan Esser last week, he says developers failed to use standard security protocols OS X dynamic linker dyld. Esser reports the vulnerability is present in OS X 10.10.4, and even the recent beta versions of OS X 10.10.5. (However, today’s news indicates they are working on that.) He reported it is not present in early builds of OS X 10.11 El Capitan.
News of this exploit came close on the heels of a proof-of-concept worm called Thunderstrike 2, which can affect both Mac and PC hardware. The attack targets option ROM on peripherals, allowing it to be spread simply by connecting an infected peripheral to a Mac or PC.
