News Stay informed about the latest enterprise technology news and product updates.

IOHIDeous is a macOS zero-day for the new year

A newly discovered macOS zero-day flaw, called IOHIDeous, affects all versions of Apple's desktop operating system and can allow for full-system compromise.

In a somewhat unorthodox New Year's gift, a developer detailed a long-unpatched macOS zero-day flaw that could...

allow an attacker root access for full-system compromise, although it cannot be exploited remotely.

Siguza, a hobbyist developer and hacker from Switzerland, described in great detail a zero-day vulnerability, dubbed IOHIDeous, which is said to affect all versions of macOS going back 15 years.

"This is the tale of a macOS-only vulnerability in IOHIDFamily that yields kernel [read and write] and can be exploited by any unprivileged user," Siguza wrote in a GitHub post. "IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements. I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn't know it then [sic] is that some parts of IOHIDFamily exist only on macOS -- specifically IOHIDSystem, which contains the vulnerability discussed herein."

Siguza released proof-of-concept (PoC) exploit code for IOHIDeous, but noted that not all of the parts have been tested across all versions of macOS. Part of the attack "doesn't work on High Sierra 10.13.2 anymore," but Siguza said the vulnerability is still present and may be exploitable in different ways. Siguza successfully tested other portions of the PoC attack on High Sierra, and the exploit is assumed either to work on other versions of macOS or be easily adapted for other versions.

However, while exploiting the IOHIDeous macOS zero-day could allow an attacker to escalate privilege, run arbitrary code and gain root access, Siguza said on Twitter that the risks are somewhat lessened because the flaw is not remotely exploitable and because "triggering [the] bug is pretty noticeable, with the entire UI being torn down and whatnot."

Siguza also commented on why IOHIDeous details were released publicly and not sold either on the dark web or to a bug bounty program.

"My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna [sic] help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the [vulnerability] was remotely exploitable," Siguza wrote on Twitter. "Since neither of those were the case, I figured I'd just end 2017 with a bang because why not. But if I wanted to watch the world burn, I would be writing zero-day ransomware rather than write-ups."

As of the time of this post, Apple has not responded to requests for comment or released information about any potential IOHIDeous patch.

Dig Deeper on Alternative operating system security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use macOS? What security do you use for protection?
Cancel
We do not use any Apple products for this reason. When you have store employees telling you Apple has no vulnerabilities and is immune to viruses and malware, then you read an article like this, you have to wonder how bad it really is.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close