A security researcher made the macOS Zero Day Kernel flaw public on New Year’s Day
Apple received an unwelcome New Year’s gift in the form of a public disclosure of a years-old macOS Zero Day Kernel flaw. The flaw was revealed by a security researcher who goes by the alias Siguza. Per the researcher, the vulnerability is at least 15 years old. They released details on the flaw as well as a Proof of Concept (available on GitHub)..
The flaw represents a major local privilege escalation (LPE) vulnerability that could enable an attacker to gain root access to a system and execute malicious code. The proper malware – anything designed to exploit a flaw like this – could fully install itself deep within the system.
Siguza claims the code is 15 years old, but per The Hacker News, some clues indicate that this could be a decade older than that.
This LPE flaw is attributed to the IOHIDFamily, which is an extension of the macOS kernel designed for human interface devices like a touchscreen or buttons. The flaw lets an attacker install a root shell or execute arbitrary code on the system.
“IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements… I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability.”
The exploit shown by Siguza, cleverly named IOHIDeous, affects all versions of macOS. The exploit also disables System Integrity Protection and Apple Mobile File Integrity security features – these both defend against malware.
The exploit can only occur when a user logs out or is forced to log out. Unfortunately, Apple’s bug bounty program doesn’t offer rewards for macOS bugs, so rather than report this zero-day directly to Apple, he just dumped it on Twitter. Like you do.