Ars Technica reports Bug in latest version of OS X gives attackers unfettered root privileges
"A bug in the latest version of Apple's OS X gives attackers the ability to obtain unfettered root user privileges, a feat that makes it easier to surreptitiously infect Macs with rootkits and other types of persistent malware."
"According to Esser, the OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Developers didn't use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that allows attackers to open or create files with root privileges that can reside anywhere in the OS X file system."
Security is hard. At least Apple is trying to elevate it in some products. MacWorld reports Apple's security requirements are reportedly holding up HomeKit. "Apple has stringent requirements for manufacturers aiming to get HomeKit-certified for Bluetooth LE and Wi-Fi accessories: those devices must use 3072-bit keys and Curve25519, the 128-bit elliptic curve, for encrypted key exchange and digital signatures. Those security standards will help HomeKit devices protect against outside attacks, but they’re also causing lags in devices that are supposed to respond quickly to user requests. For instance, a smart door lock that takes seven minutes to open using Apple’s encryption requirements, or even 40 seconds, can’t compete with a dumb door lock that opens almost instantly. The problems are at the chip level. Broadcom and Marvell are working to make their Bluetooth LE chips beefy enough to withstand Apple’s encryption standards so the lag time isn’t so lengthy."