Apple users are being advised to upgrade to the latest OS X release, version 10.10.3, as soon as possible following the disclosure of a hidden API which allows back-door access to a system-level account.
Apple's OS X is frequently touted by its fans as inherently more secure than Microsoft's Windows, and while there is some argument to be made that its adoption of POSIX-compliant permissions and other Unix-inspired security systems make it a harder target it's a fact that any complex software stack is vulnerable to attack. Security researcher Emil Kvarnhammar has proven that with the publication of a hitherto unknown back-door API in the operating system which allows any user to break free of a restricted account and gain system-level privileges.
In a blog post
detailing the issue, Kvarnhammar suggested that the API was originally introduced to allow the System Preferences and related systemsetup utilities to make changes to the system when executed from a normal unprivileged user account, but was never locked down. As a result, any process can take advantage of the API to gain system-level privileges - including viruses and malware looking to take complete control of the system.
The flaw, Kvarnhammar claims, has been present in the system going back to at least 2011 and potentially earlier. Apple was alerted to the problem in October of last year, and worked on a patch which was included in OS X 10.10.2. Unfortunately this patch was unaffected, and it's only with the release of OS X 10.10.3 this week that the hole has been properly secured - making it a must-update release for any user of prior OS X revisions.