Another big security flaw in OS X Yosemite has been discovered, but instead of telling Apple first, the guy who found it posted his findings on the Internet. That means Apple doesn't have a head start on patching the flaw, and potential hackers have the access to the potential exploit now.
OS X tpwn security flaw posted online before alerting Apple
Luca Todesco posted his findings on Github on Sunday. He detailed an exploit, dubbed tpwn, that lets attackers deliver their own code into a root shell, which gives them access to victim's Macs without requiring a password. The flaw is in all versions of OS X Yosemite, including the just released 10.10.5 update.
The 10.10.5 update patched what's been dubbed the DYLD security flaw, but it doesn't address this new issue. The company is already working on a patch, but hasn't said how soon it will be available, according to Engadget.
The big issue in this case is two fold: First there's a potentially big Mac security flaw in the wild. Second, the person who discovered it made his findings public without first alerting Apple.
Disclosing security flaws without first contacting the product maker is generally seen as bad form and irresponsible, and that's exactly where Mr. Todesco went. He claims there's a patch available that isn't from Apple, although it hasn't been approved by the company.
The tpwn flaw apparently isn't in OS X El Capitan, which is in public beta now and will officially launch in the coming weeks.
Until Apple has an official patch for this new flaw, it's best to keep safe Web surfing practices in mind: Don't visit websites you don't trust, and never install apps from untrusted sources.