15-year-old Unpatched Root Access Bug found in Apple’s macOS

An IT security researcher has leaked details on an unpatched Apple’s macOS bug which lets attackers gain root access and take complete control of a targeted device.

After a disastrous 2017, where Apple faced all sorts of security-related issues and complaints, the company is in trouble again right from the first day of the New Year! On the very first day of 2018 (or the last day of 2017, depending on your location and region), a security researcher having immense expertise in hacking Apple’s iOS has posted details of an unpatched security flaw present in macOS operating system.

“One tiny, ugly bug. Fifteen years. Full system compromise” wrote the researcher, who uses the alias Siguza (s1guza).

The researcher stated that the flaw can be exploited by cyber-crooks to gain full control of the computer. The unpatched zero-day vulnerability is claimed to be 15 years old. The researcher has also posted a proof-of-concept exploit code, which can be reviewed on GitHub.

Siguza, who also calls himself Hobbyist Hacker, noted that this is a dangerous local privilege escalation (LPE) flaw, which allows anyone (even an unprivileged attacker) to obtain root access on the targeted computer so as to execute malicious code. This LPE flaw affects the kernel extension IOHIDFamily, which was designed for HID (human interface device) like touchscreen or buttons.

Furthermore, the malware that has been designed to exploit this 0-day vulnerability can install itself deep into the system and cybercriminals can target Apple’s critical security programs like the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI).

In order to successfully carry out the exploitation of the system, cybercriminals need to get users logged out from the system, which is likely to alert most of the users. However, to evade detection, cybercriminals can attack when the system is shut down or restarted.

The flaw was discovered when Siguza was trying to identify flaws that would allow him to hack the iOS kernel. While doing so Siguze noticed that some of the extension’s components including the IOHIDSystem existed solely on macOS. This discovery led to the identification of the critical zero-day vulnerability in the operating system. Siguza wrote in his post:

“Needs to be running on the host already (nothing remote), achieves full system compromise by itself, but logs you out in the process.”

“Can wait for logout though and is fast enough to run on shutdown/reboot until 10.13.1. On 10.13.2 it takes a fair bit longer (maybe half a minute) after logging out, so if your OS logs you out unexpectedly… maybe pull the plug?” explained Siguza.

The vulnerability is found only in macOS and not in other Apple products such as the iOS but it affects all versions of macOS. Although the flaw is not too serious and concerning it does show that Apple needs to enhance the security of its software. The proof-of-concept created by Siguza is applicable on macOS High Sierra 10.13.1 and earlier versions but he believes that the exploit can be tweaked to become effective on a new version of macOS 10.13.2 released on Dec 6.

Siguza further added that the reason why he publicly announced his findings instead of informing Apple secretly is that the flaw was not remotely exploitable and Apple’s bug bounty program also didn’t cover macOS. Apple, on the other hand, hasn’t responded to the news or released any statement in relation to the findings of Siguza. We will update the article when Apple responds.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.