A new OS X bug is being exploited by attackers who are installing adware on Mac computers without needing any system passwords. Apple announced that the company is working on a fix as soon as possible.
This bug is known as a zero-day exploit— meaning hackers exploited the bug before Apple developers ever knew about it.
Security researcher Stephan Esser disclosed the security hole las week, saying that a security hole in OS X 110.10.5 allows attackers to get unfettered root privileges. These types of escalating-privilege bugs are regularly used by attackers to evade security systems in software.
Apple told Mashable that the flaw has been fixed in a new OS X 10.10.5 beta version. There’s no word, however, on when the updated operating system software will be available to the public.
Esser did not notify Apple about the security hole before publicly announcing the flaw on a blog. Thomas Reed from the security firm Malwarebytes questioned Esser’s motives for disclosing the flaw.
“There is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest,” Reed wrote in a blog post.
Esser is a respected security researcher and software developer, but many argue that downloading patches not approved by the original developer is not a good idea.
Apple said the patch will be released before the next major update of the OS, El Capitan — expected to be released later this fall, according to The Guardian. Apple is taking blacklisting developers and apps that exploit this bug.
