Published in News

Italian teen found what Apple security experts couldn't

by on17 August 2015


Forbidden to fix it

An Italian teenager has found two zero-day vulnerabilities in Apple's OS X operating system that could be used to gain remote access to a computer.

Luca Todesco, 18 has a patch for the vulnerabilities but he can't release them because Apple only allows people who have a Mac developer certificate to do that.

Todesco put details of the exploit he developed on GitHub. The exploit uses two bugs to cause a memory corruption in OS X's kernel.

The memory corruption condition can then be used to circumvent kernel address space layout randomization (kASLR), a defensive technique designed to thwart exploit code from running. The attacker then gains a root shell.

The exploit code works in OS X versions 10.9.5 through 10.10.5. It is fixed in OS X 10.11, the beta version of the next Apple OS nicknamed El Capitan.

Todesco told Apple of the problems "a few hours before the exploit was published" which was rather naughty but we can understand his frustration.

After all if you can fix a problem but Apple will not recognise you because you are kid and have not completed all the forms and training which proves you are just as good as the clowns who put the flaws in the first place, it can be a little frustrating.

Last modified on 17 August 2015
Rate this item
(16 votes)

Read more about: