2017 proved to be a software fiasco for Apple, as the company struggled with a plethora of bugs, both security and non-security, impacting its mobile and desktop platforms.
On December 31, a new unpatched vulnerability in macOS went public, with all versions of the desktop operating system said to be affected, possibly including version 10.13.2 which was released on December 6.
Published by security researcher Siguza on Twitter, the security flaw allows an attacker to obtain root access and take full control of a system, though it’s important to know that a successful exploit requires local access to the computer to execute arbitrary code.
The local privilege escalation (LPE) vulnerability was discovered after the researcher started inspecting the iOS kernel for security flaws, only to discover the glitch in an extension of IOHIDFamily called IOHIDSystem that’s exclusively used on macOS. This particular component is required for human interface devices (HID).
No patch just yet
Siguza demonstrated an exploit called IOHIDeous which is triggered when the system logs out, such as during reboots or shutdowns, with certain security features of the OS being disabled, including System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI).
The vulnerability wasn’t reported to Apple before the disclosure took place, but the researcher says it’s been around since 2002 and the reason for not reaching out to the company first was that its bug bounty program does not include LPE flaws for macOS.
In a series of tweets, Siguza explains that his purpose wasn’t to expose users, and since the flaw isn’t remotely exploitable, the severity of the vulnerability isn’t critical.
“My primary goal was to get the write-up out for people to read. I wouldn’t sell to blackhats because I don’t wanna help their cause. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable,” he tweeted. “Since neither of those were the case, I figured I’d just end 2017 with a bang because why not. But if I wanted to watch the world burn, I would be writing 0day ransomware rather than write-ups.”
Apple is expected to ship a patch for this vulnerability in the coming weeks, but since it’s not a critical issue, don’t hold your breath for a fix.