“One tiny, ugly bug. Fifteen years. Full system compromise,” wrote one security researcher, starting a Twitter storm on the new year’s eve. Apple has had one tough year full of security disasters and it appears the company is greeting the new year with even more of security vulnerabilities. Unlike the macOS root vulnerability, the latest security flaw isn’t that severe but shows that Apple has been sloppy when it comes to software security.
A security researcher calling themselves “hobbyist hacker” released a zero day macOS vulnerability that they suggest is “at least” 15 years old. The unpatched flaw can enable an unprivileged user to take control of the system if they have physical access to the system to execute arbitrary code and get root permissions.
The bug is a local privilege escalation (LPE) vulnerability in an extension of the macOS kernel – IOHIDFamily – that can allow an attacker to install a root shell or execute arbitrary code. The researcher writes that it affects all versions of macOS and enables arbitrary read/write vulnerability in the kernel. Not only that, it appears that the vulnerability can also disable the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features that provide protection against malware.
Why you probably shouldn’t worry too much about this macOS bug
The researcher noted that for the exploit to work, it has to log the user out – which will of course make the fire alarms go off. However, the attacker can instead design it to work when a user shuts down or restarts their machine to keep it stealthy.
“Needs to be running on the host already (nothing remote), achieves full system compromise by itself, but logs you out in the process,” researcher wrote. “Can wait for logout though and is fast enough to run on shutdown/reboot until 10.13.1. On 10.13.2 it takes a fair bit longer (maybe half a minute) after logging out, so if your OS logs you out unexpectedly… maybe pull the plug?”
And maybe don’t download & run untrusted software until the bug is patched (or, you know, ever)? Also, any decent antivirus shouldn’t take long to add this to their malware definitions.
The vulnerability only affects macOS and not iOS, which is primarily why the researcher dumped it online instead of availing of Apple’s bug bounty program.
You shouldn’t worry, but Apple certainly needs to
The latest research proves yet again that the Cupertino tech giant continues to discount security on its desktop systems. Apparently, Apple’s bug bounty program doesn’t include macOS bugs.
Also, Siguza – the online moniker of the security researcher – isn’t very happy about people calling them irresponsible since this vulnerability doesn’t enable any sophisticated, stealthy attacks.
As far as the patching spree is concerned, the researcher noted that Apple has been contacted and is working on a patch. Apparently, Apple engineers weren’t “too sad” about Siguza ruining their holidays. With such a start to the new year, let’s hope Apple starts actively focusing on software security instead of scrambling after security flaws have been dumped in public.
For extensive technical details, head over here.