Full macOS Compromise Using 15-Year-Old Bug

Details of vulnerability released over Twitter by security researcher.

iMac that says 'Do More'

Today's Best Tech Deals

Picked by Macworld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

A recently discovered vulnerability in macOS allows for full system compromise of macOS versions dating back 15 years. Residing in the "IOHIDFamily" component – notoriously used in the past to exploit various race conditions leading to system compromise – the vulnerability doesn’t seem remotely exploitable by itself, although it has existed for at least 15 years.

Triggered only by local access to a Mac, all macOS versions up to 10.13.1 appear to be affected. Security researcher Siguza warns that the vulnerability can still be weaponized to be remotely exploitable if a “sleeper program” – or malware with similar behavior – simply waits for the user to log out, reboot, or shut down, before activating the vulnerability.

“It acts as if the user had actually chosen to log out via the GUI - which means that apps with unsaved changes can still abort the logout, or at least prompt for confirmation (an example for this is Terminal with a running command),” according to Siguza’s detailed technical post on the vulnerability. “But second, alternatively to a logout, a shutdown or reboot will do as well. This makes for an interesting possibility: we could write a sleeper program and just wait for conditions to become favorable - I have no access to any statistics, but I’d assume most Macs are eventually shut down or rebooted manually, rather than only ever going down as the result of a panic.”

The researcher chose not to contact Apple before announcing the vulnerability over Twitter, citing two reasons: Apple has no bug bounty program for macOS, and the vulnerability is not remotely exploitable out of the box, limiting potential “use cases” for cybercriminals.

“My primary goal was to get the write-up out for people to read,” reads his Tweet. “I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.”

Although Apple has yet to comment on the issue, the company has frequently made headlines of late, as it had to fix several security problems revolving around trivial issues, such as unauthenticated “root” access. However, whenever a patch becomes available, users are strongly encouraged to download and install it immediately.

Meanwhile, a security solution designed for macOS could also protect against cybercriminals and malware, as it would prevent, detect, and remove any type of malicious application that could compromise the security of your Mac or data.