A 15-year-old unpatched MacOS vulnerability was publicly released on New Year's Eve by a security researcher. The zero-day flaw allows hackers root access to targeted Macs and can be easily exploited, according to a security researcher going by the pseudonym Siguza, who posted the Apple bug on Twitter on 31 December.
"F**k it, dropping a macOS 0day. Happy New Year, everyone," Siguza wrote, posting a GitHub link to the proof-of-concept code.
The zero-day vulnerability is a local privilege escalation (LPE) flaw, which means that it can only be exploited when the attacker already has local access to the targeted device. The bug affects the IOHIDFamily MacOS kernel driver, which handles various kinds of user interactions.
"One tiny, ugly bug. Fifteen years. Full system compromise," the security researcher wrote.
According to Siguza, the bug is triggered by logout operations, which means that hackers have no need to employ social engineering tactics to exploit the zero-day vulnerability. The bug can also affect Apple's security programs such as the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI), allowing hackers to disable both programs.
According to Siguza, the proof-of-concept affects MacOS High Sierra 10.13.1 and earlier versions but can be tweaked to also be applicable to the recently released 10.13.2 version of the OS (operating system).
Since Siguza did not alert Apple prior to releasing the bug, it remains unpatched at the moment. It is also unclear whether Apple will issue out a fix for it at a later date.
2017 saw multiple instances of security researchers publicly releasing Apple bugs, which are considered to be rare in the infosec community and often fetch a substantial sum of money if sold to third-parties.
When a Twitter user asked Siguza why he chose to publicly release the MacOS bug instead of selling it, Siguza responded: "My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.
"Since neither of those was the case, I figured I'd just end 2017 with a bang because why not. But if I wanted to watch the world burn, I would be writing 0day ransomware rather than write-ups ;)."