Skip to main content

tpwn OS X exploit: What you need to know

MacBook Pro in low light
MacBook Pro in low light (Image credit: Rene Ritchie / iMore)

tpwn is a vulnerability that affects OS X 10.9.5 Mavericks through OS X 10.10.5 Yosemite, but does not affect the currently-in-beta OS X 10.11 El Capitan. With tpwn, malicious code on your Mac could escalate its privileges—gain "root" access—and potentially exploit the system. The vulnerability was released without warning—also known as a 0day—and without prior disclosure to Apple. That means Apple learned about it pretty much when the rest of the world did.

What does tpwn do?

tpwn is a privilege escalation exploit, which means, to use a bad analogy, it's like a thief that can't break into your house by itself. It needs help to get in. Once in, however, it can break open your safe and rummage around. The vulnerability was disclosed on GitHub, and Macworld followed up with the researcher to get the specifics:

The exploit uses two bugs to cause a memory corruption in OS X's kernel, he wrote via email.The memory corruption condition can then be used to circumvent kernel address space layout randomization (kASLR), a defensive technique designed to thwart exploit code from running. The attacker then gains a root shell.The exploit code works in OS X versions 10.9.5 through 10.10.5. It is fixed in OS X 10.11, the beta version of the next Apple OS nicknamed El Capitan.

Has Apple patched the problem?

Apple learned about the problem a couple of hours before the rest of the world so it will take the company some time to develop, test, and push out a patch for Mavericks and Yosemite.

It is, however, already patched in the beta versions of OS X El Capitan, likely due to other changes made for Apple's upcoming version of the Mac OS.

Do I need to worry about tpwn?

Worry is a strong word. There's no indication of attacks based on twpn "in the wild" and so the vast majority of people have very little to be concerned about at the moment. twpn would also need to be used in conjuncture with something else, like a social engineering attack that conned you into letting it onto your Mac, before it could do anything.

So, the usual advice applies: Don't download software from any source you don't absolutely trust. That means the Mac App Store, major vendors like Microsoft or Adobe, and trusted developers, and even then only from direct links. Also, don't give someone you don't absolutely trust unfettered access to your Mac.

Apple is also delivering new technologies with OS X El Capitan, including System Integrity Protection which limits what malware can do even if it escalates to root privileges.

As soon as Apple has a patch ready, we'll let you know!

Rene Ritchie
Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • From what I can ascertain, it looks like this requires code to actually run on your system - ie. you'd need to have an app that is built to exploit this vulnerability and then actually do something with it. Keep your deflector shields raised - flip "Allow apps downloaded from:" ... back to Mac App Store, be vigilant for any app requesting elevated privileges!
  • Correct, it would be used by existing malware to escalate privileges and gain root access, but that existing malware would still have to get on your machine first. (You'd have to download it or someone would have to sneak it on.)
  • It’s not impossible to get it from legitimate sources remember that Charlie Miller managed to get malware approved and onto the AppStore.
    If it’s gonna happen it’s gonna happen. The Mac is becoming a bigger target every day. Time for us to start feeling the pain that Windows endured.
  • Mac users will never feel the pain that Windows endured. They are two very different operating systems.
  • One of the most ridiculous short sighted posts I’ve ever seen on any forum, any time. So what if they are different operating systems.
  • Incorrect. I use both systems on a daily basis for years, windows of any flavor is excruciating to get and keep working correctly. OS X has certainly wasted my time with bs, but it's usually limitations rather than malfunctions. I have been battling windows and the programs I need for work for about 3 days now, and this is nothing unusual, it is a constant occurrence. Sent from the iMore App
  • LOL...ok, you made me seriously laugh out loud. As an IT Manager at the headquarters of a Fortune 5 matters a great deal. Carry on.
  • Glad a lot of these are fixed in the new OS. I always keep my setting to only allow software from the app store. Odd thing last night when in the middle of downloading 30 episodes of a show from the iTunes store my Mac crashed and got that black screen where it tells you your mac crashed and to restart. Checked the console and had tons of this stuff webkit DB writes and kernel panic. Ugh. I'll be happy when the new OS comes out since I feel its mainly an extension of Yosemite to strengthen it even more.
  • The fact that this does not work on next generation OS could be very telling... Did Apple knew about this possible exploit and chose not to worry about it hopping that no one would find it... Hmm???
  • Or carry the conspiracy theory out a little further. El Capitan beta testing has not achieved critical mass yet for a larger release. Apple takes a page from the Lenovo playbook and releases this exploit. No fear it's patched in El Capitan, btw the beta is open and free for the public. N Sent from the iMore App
  • No.
  • I've heard several developers complain about El Cap's System Integrity Protection, but I'm loving it!
    I can' seem to install Ruby with Rails just now, but it's not urgent and I know a workaround will be developed soon.
    We can no longer be so free any easy about where we install software and that's not a bad thing, IMHO. Sent from the iMore App
  • "OMG THEY'RE LOCKING US IN YAAAAASSS" Google knows why kids love the taste of cinnamon toast crunch. And they're willing to sell it to you.
  • Good thing to know, considering I purchased a new Macbook as a birthday gift! Really appreciate articles like this, Rene and iMore team! Keep it up!
  • Why would this have ANY bearing on a decision to buy a computer? Seriously...
  • I'm guessing he is new to OS X... And so this info is comforting to him
  • Simply put Apple is no longer the thick walled fortress it once was. Over time anything can and will be infiltrated, however the Mac OS world is still far smaller than Windows in terms of raw target numbers and yet Mac users are consistently more affluent and will make richer targets for hackers.
  • Yes "numbers" have nothing to do with it. If you are a malware author you have ALWAYS been, numbers wise, better off going after the 30 million Mac users, most of whom do not have any 3rd party security installed, and who by nature of their expensive computer purchase have money, are more educated, have money, and not accustomed to concerns about viruses, they have money! So if you were a malware author would you go after the (numbers for illustration) 10,000 users of $380 HP laptop, with MacAfee and Kaspersky or the 100 users of a $3000 MacBook Pro with no security software? But wait...there's Mac OS X! 17 years running and a handful of POC and minor limited wares inserted exploits. Those are the only numbers I care about.
  • Does it matter all which one you have an exploit for? Or for which one you can most easily find/develop one?