Just days after Apple patched a local privilege escalation vulnerability in OS X that would grant attackers root access, they are working to patch another one.
Italian researcher Luca Todesco published proof-of-concept code to GitHub for "Tpwn," a memory corruption bug in the kernel of OS X versions 10.9.5 (Mavericks) through 10.10.5 (Yosemite). It does not affect the forthcoming version, OS X El Capitan, which is now in beta.
As Todesco explained to MacWorld, "The memory corruption condition can then be used to circumvent kernel address space layout randomization (kASLR), a defensive technique designed to thwart exploit code from running. The attacker then gains a root shell."
Todesco created a kernel extension called NULLGuard to protect against tpwn, but later recommended users instead install SUIDGuard, a TrustedBSD kernel extension created by Mac security researcher Stefan Esser.
Todesco published the code for Tpwn just hours after he disclosed the vulnerability to Apple, for which he has received some public criticism.
there are a few reasons to drop a full kernel 0day PoC on github. apple's slowness is not one of them, fyi.— Luca Todesco (@qwertyoruiop) August 16, 2015
Tpwn arrives just six days after Apple patched the DYLD_PRINT_TO_FILE vulnerability in OS X Yosemite discovered last month -- a bug in an environment variable that also enabled root access.
Other cracks were found in Mac OS X recently by Synack director of research Patrick Wardle. At Black Hat Las Vegas this month, Wardle revealed exploits he'd written that circumvents Gatekeeper, OS X's mechanism for preventing unsigned code from running.