updated 10:10 pm EDT, Wed August 28, 2013
Could give admin-level users unauthorized root access
A flaw in the Unix "sudo" program that has remained unaddressed in recent implementations of OS X and some distributions of Linux could allow a current or former user who still has admin-level access to the computer the ability to gain root access, presenting a security risk. The flaw, discovered by security testing software maker Metasploit, requires would-be attackers to jump through a number of hoops, however.
The possibility of an attacker successfully exploiting the vulnerability is pretty remote under most circumstances, but there are situations where the various requirements could be met, and the attack successful. The flaw, which involves resetting the target computer's clock, requires that the attacker already have admin-level privileges on the machine, have physical or remote access to it, and the attacker must have used the sudo command on the machine successfully once before. All three of the conditions must be satisfied in order for the intruder to reset the computer's clock in the manner necessary to gain root privileges.
By default under OS X, only the owner of the machine has administrator privileges, and remote sharing is off -- completely preventing non-users or remote attackers from being able to even begin utilizing the exploit. The fact that the attacker must be a person who still has admin-level access to the machine narrows the risk quite considerably. Further, it is thought that only a single-digit percentage of Mac users ever engage the sudo command at all, which requires the use of the Terminal program.
However, a scenario such as a recently-fired employee of a company, a jilted lover or an abusive mate that still has an admin-level account on the target machine could conceivably have both the access and the technical know-how to exploit the flaw and gain full access to all files on the target computer. On the Mac, the bug exists in all recent versions of OS X from 10.7 onwards. Under Linux, the flaw either exists or has been worked around depending on the particular distribution.
Apple may be waiting for its upcoming release of the next major version of OS X, called Mavericks, to address the vulnerability -- reasoning that the chances of an attack are sufficient low as to be not be a high-priority item. To date, there have been no known successful attacks exploiting the flaw. However, Metasploit went public in order to urge Apple to address the problem promptly.
The company's motives in revealing the problem may be suspect, however, as Metasploit sells "penetration-testing software" for security and IT professionals, and thus has a vested interest in making its audience aware of potential security risks for the Mac and other platforms. Apple was notified of the problem five months ago, but has not issued a formal public or private response. The iPhone maker has been known to be sometimes slow to respond to bugs found in open-source software, preferring to wait until a scheduled update or new release rather than patch problems as they come along for flaws the company doesn't see as likely.