Mac OS Flaw Exposes Root Privileges

Problem is in NetInfo Manager, an application that is used to set up multilevel hierarchies

A newly discovered flaw in Apple Computer Inc.s OS X operating system could enable an attacker to gain root privileges on a vulnerable machine.

The problem is in the NetInfo Manager, an application that is used to set up multilevel hierarchies. By opening the application and performing several simple steps, an attacker can easily gain root privileges on a Mac.

However, the Nibindd daemon, which is used to create and destroy NetInfo servers, does not run by default and is not commonly used, experts say, making it unlikely that the flaw will be exploited on a widespread basis.

"It does not run by default. I think someone would actively have to turn those services on for it to be a problem," said Kevin Long, information security analyst at TruSecure Corp. in Reston, Va. According to several messages posted to the Bugtraq mailing list this week, the exploit works on versions 10 and 10.1—which is the most current—of the Mac OS.

Apple, based in Cupertino, Calif., released on Friday a patch for the problem.

Long and Jon McCown, senior technical director at TruSecure, said you can also work around the problem by changing the permission levels on the NetInfo Manager.

Mac OS X is shipped pre-installed on all Macs.

Apple did not return a call for this story.