18-year-old Luca Todesco from Italy discovered two zero-day vulnerabilities in OS X that could remotely access a computer. A program written by a teenager uses two bugs that cause memory corruption in the OS X kernel. OS X versions 10.9.5 through 10.10.5 are vulnerable. In 10.11 and beta versions of the next OS El Capitan, the holes were patched. Luca posted his exploit on GitHub, having previously notified Apple of the problem.
Corrupted memory helps bypass the randomization of locations in the kernel address space, which is specifically designed to prevent exploits from running. In the future, an attacker can gain full access to the victim’s computer. A young programmer developed a patch called NULLGuard and posted it on the same resource. For the Italian, the creation of malware is not the main occupation; he does security research in his spare time. You can download NULLGuard here: github