macOS Exploit Published on the Last Day of 2017

An anonymous reader shares a report: On the last day of 2017, a security researcher going online by the pseudonym of Siguza published details about a macOS vulnerability affecting all Mac operating system versions released since 2002, and possibly earlier. Siguza did not notify Apple in advance, so at the time of writing, there is no fix for this flaw. Despite the doom and gloom, the vulnerability is only a local privilege escalation (LPE) flaw that can only be exploited with local access to a computer or after an attacker has already got a foothold on a machine. The vulnerability grants root access to an attacker. The issue affects the IOHIDFamily macOS kernel driver, a component that handles various types of user interactions. Siguza said he read about various flaws in this component and took a look at it to find new ways to compromise iOS, Apple's mobile operating system, where IOHIDFamily is also deployed. The expert says he found the LPE flaw in the IOHIDFamily code specific to macOS versions only. In a tweet, Siguza said, "My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.

Re:Apple is getting fat and lazy

[MachineShedFred]

The good news is that even on the absolute first version of OS X, if you wanted to do anything that was outside the user home folder, or even with the user's keychain, it would ask for your password.

I don't know about you, but if you go to a web site and then it starts asking for your system password, YOU DO NOT PUT IT IN.

You are correct that Safari auto-expanding compressed archives wasn't a good idea. However, the inherent security design that the actual engineers managed to persuade Jobs to keep in the OS prevented major damage from things like that, to the point that even Jobs was recounting his at-the-time skepticism and praising that design and those engineers in on-stage interviews years later.

No operating system is without flaws. However, mix a bit of common sense in with good design, and you come out ahead of just good design.

Re:only a local privilege escalation

[TheRaven64]

This looks as if it's exploitable even for sandboxed processes. This isn't such a big deal on macOS, where both users of the Mac App Store might need to worry, but most other people are only running sandboxed apps written by Apple (I'm not sure if WebKit renderer processes have direct HID access - I don't think they do, because HID events are proxied for them from the privileged component, though the XPC vulnerability a few months ago turned sandboxed WebKit component vulnerabilities into whole-machine compromises). It is a much bigger deal for iOS, where most users run not-very-trusted applications from the iOS App Store and rely on the sandbox framework to isolate them. The sandbox framework doesn't work so well on a compromised kernel.