Apple Finally Responds to That 15-Year-Old macOS Bug Giving Attackers Root Access

A security researcher dumped a 15-year-old macOS bug on the new year’s eve. He had called it a tiny, ugly bug that leads to full system compromise. The bug was a local privilege escalation vulnerability that affects all versions of the Apple’s desktop operating system. It’s been 3 days since the details of this bug were published online and Apple is yet to deliver a fix. The company, however, promises that it’s working on the patch.

macOS LPE bug leads to full system compromise but needs physical access

After the security researcher who goes by the name Siguza on the internet published the bug online, they had added that Apple is aware of the flaw and is working on a fix. Since Siguza had called it a zero day security vulnerability, it was expected that the Cupertino tech giant would act fast to deliver a patch.

Related Fresh iPhone 9 Leaked Case Render Corroborates Return Of Bezels On The 2018 Lineup

However, Siguza had noted at the time that it is not a remotely exploitable vulnerability, which was why he hadn’t thought twice before publishing it online instead of contacting Apple directly. [Apple’s not offering any bounties for macOS vulnerabilities was another major reason]

The iPhone maker has now given an update on what is happening and has promised to deliver the patch later in January. “Apple is committed to the security of our customers’ devices and data, and we plan to patch this issue in a software update later this month,” the tech giant said in an emailed statement. The company has also advised users to avoid installing any software from out of the App Store in the meantime.

Related Apple’s 7nm A12 Processor For 2018 iPhone Lineup Enters Mass Production As TSMC Ramps Up 7nm Production Suggests Source

“Since exploiting the vulnerability requires a malicious app to be loaded on your Mac, we recommend downloading software only from trusted sources such as the Mac App Store.”

The bug, as shared in our original post, affects IOHIDFamily and isn’t remotely exploitable or sophisticated. It also requires the attacker to force a logout of an active session unless an attacker triggers it when the device is being booted or shut down – in which case users will notice a delay.

Even though it isn’t stealthy or sophisticated, the macOS security bug does lead to full system compromise and attackers can obtain root privileges. It also disables Apple’s System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features. While the bug has been present since at least 2002 (researcher said it could be older), it is finally going to be fixed later this month. In the meantime, pay attention to Apple’s advice and stick to trusted sources for downloading software.

– Relevant: Cybersecurity disasters that made everyone wanna cry in 2017

Tweet Share


Apple Wanted to Remove the Lightning Connector on the iPhone X and Go Completely Wireless

macOS Quick Look May Be an Easy Way to View Files But Doesn't Appear to Be the Most Secure One

Apple Will Produce Twice As Many 2018 iPhone 9 Units As The iPhone X(s) And iPhone X(s) Plus

2018 iPhone 9, iPhone X(s) & iPhone X(s) Plus Screen Protectors Enter Mass Production And Leak, Confirming Design

There's More To The Previous Reports Of Low 2018 iPhone Orders