On the last day of 2017, a security researcher going online by the pseudonym of Siguza published details about a macOS vulnerability affecting all Mac operating system versions released since 2002, and possibly earlier.
Siguza did not notify Apple in advance, so at the time of writing, there is no fix for this flaw.
Despite the doom and gloom, the vulnerability is only a local privilege escalation (LPE) flaw that can only be exploited with local access to a computer or after an attacker has already got a foothold on a machine. The vulnerability grants root access to an attacker.
The issue affects the IOHIDFamily macOS kernel driver, a component that handles various types of user interactions.
Siguza said he read about various flaws in this component and took a look at it to find new ways to compromise iOS, Apple's mobile operating system, where IOHIDFamily is also deployed. The expert says he found the LPE flaw in the IOHIDFamily code specific to macOS versions only.
While Siguza did not contact Apple, he did write a very detailed report on how someone could exploit the flaw. Nonetheless, Siguza clarified his position in a tweet published on January 1.
"My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable," he said.
According to Siguza, the flaw is easy to exploit because it triggers on logout operations. This means attackers can get root access on a machine whenever the user logs off, reboots, or shuts down his computer, all very common operations that take place on a daily basis, meaning there's no need for social engineering to exploit the flaw.
Bleeping Computer has reached out to Apple for comment on the vulnerability. Taking into account the holiday season, Apple will most likely not release an update in the following days.
In addition, LPE flaws are not considered critical, and it's likely that Apple won't release an emergency update to fix the issue, but address it as part of its next monthly security update train.