Jamf Nation Community

It seems that way. We are only going to apply a patch from Apple so it is pretty much up to them.

Nice. So this looks to be based off of the vuln that that guy Esser released without responsible disclosure a few weeks back. I hope he's happy with himself now.

If i recall correctly, he contacted apple about it months before releasing it. Apple as usual did nothing.
Looks like it was fixed in 10.11 by accident, probably due to code refactoring

It seems that Apple needs this public outing of exploits before they do anything about it.

This is not the first time exploits have sat around, completely known to Apple for months/years before a fix is implemented

There was no claim that he contacted Apple that I saw, he just decided because it wasn't a flaw in 10.11 that this meant they knew about it months ago.

Esser also waited until his company had created a patch for it before they announced it. Why would they possibly wait until they patched it before announcing the defect? Maybe they avoided contacting Apple.

Disappointing though, is Apple's response to these recent issues, particularly the newly announced Thunderstrike 2. If nothing else, Apple should be supplying a list of known 'at risk' devices, but I doubt we will see anything until we don't have to worry about it anymore. Of course, this one is much worse than anything else that has come to light. If this were to get going how many people would be happy that their device requires expensive repairs or replacing? The irony is how Apple dropped supporting Java as they didn't like how long it took them to patch the software.

To get going, Thunderstrike 2 appears to initially require admin permissions, so we can thank Esser for that too. With one exception though, infected Thunderbolt devices, which could be infected from manufacture!

We are in a new world of attach vectors and perhaps Apple need to publicly recognise and address this!

There's a tweet from Esser from yesterday after news of this active exploit broke saying that Apple was notified of the bug months ago. However, his tweet is deceptive in that if you dig a little, what he's referring to is that it appears another researcher, a Korean that goes by the name @beist had found the same bug prior to Esser and notified Apple, and chose not to publish it, basically practicing responsible disclosure. So Esser's tweet seems to be referring to that, and not himself. Back when he published his findings and was asked by other researchers why he chose to go public without contacting Apple, his response was more or less 'Why should I care?' Seems like now that there is an active exploit making the rounds, he's just trying to cover his @ss and deflect criticism for his decision if you ask me. This guy has no morals and won't even admit that perhaps what he did was irresponsible.
All that being said, I will grant you Apple's role in this is just as irresponsible. Apple's track record of addressing security issues of late is simply atrocious and embarrassing. I don't know what's going on with them. Either they just don't have the chops in house to address these issues in a more timely manner, or they just don't really care that much and are too busy designing beautiful jaw dropping products. They need to pull their heads out and get on top of these issues. Its like OS X is becoming the new Windows of yore. Maybe they should take the yearly OS releases down a notch and focus on fixing stuff instead? Boy, what a concept!

The only good news I see is that apparently this is addressed in the latest 10.10.5 beta, but lord only know how long we have to wait for that. They should issue a separate security update instead of rolling this into the next point release, but that's Apple for you.

I just spotted an XProtect update released today that blocks "OSX.Genieo.B." I presume this will block the 0-day exploit that is in the wild. (Is anyone able to confirm?) However, until a patch is released, the underlying vulnerability could still be exploited.

Its nice that Apple is now adding adware like Genieo to their XProtect list. Its funny, Thomas Reed (developer of Adware Medic) has apparently been trying to get Apple to care about adware for a while now. They have been ignoring adding adware to their list, until now it seems. I'm not sure if this exploit made them take notice, or if adding adware was in their plans all along. Guess we may never know.

In other news, I just noticed that a little over 2 weeks ago Malware Bytes acquired Adware Medic and is incorporating it into their product line, renamed as "Malwarebytes Anti-Malware for Mac". Looks like its largely the same product, just revamped/improved, and is remaining free (for now at least) Thomas Reed will still be doing the development on it looks like. Sounds like a good move to me since Malware Bytes is well known to be an excellent malware/adware removal program on Windows.