[Translation] IOHIDeous - New Year's zero-day vulnerability from macOS

What happened?

The developer with GitHub, the nickname Siguza , made an unorthodox New Year's gift - he discovered a long-existing zero-day vulnerability in macOS, allowing an attacker to get root access to the system for its further compromise. Vulnerability exists for quite a long period of time but does not provide opportunities for remote hacking of the system.

Siguza , who is a programmer and hacker from Switzerland, described the vulnerability in detail and gave it the name IOHIDeous. According to Siguza, all macOS versions released over the past 15 years are subject to this vulnerability.

Original: IOHIDeous is a macOS zero-day for the New Year

Vulnerability description

This vulnerability belongs only to the macOS family in the IOHIDFamily extension of the kernel,
which gives access to the kernel for reading and writing and can be used by any user who does not have the appropriate rights.

A detailed description of Siguza is outlined in the Github post - IOHIDeous .
')
Brief extract from the post:

In the past, IOHIDFamily was notorious due to the presence of many race conditions (English race condition),
which led to the rewriting of large parts of IOHIDFamily in favor of using command gates and disabling its large parts based on legal policy . In the beginning, I rummaged through the IOHIDFamily source code in the hope of finding some kind of "low-hanging fruit" through which I could compromise the iOS kernel, but what I didn’t know was that the IOHIDFamily part only exists on macOS - more precisely IOHIDSystem , in which contains the vulnerability described in the post.

Siguza sent a proof-of-concept (PoC) exploit code for IOHIDeous but clarified that not all parts of the vulnerability were tested on all versions of macOS. Some of the malicious code "no longer works on High Sierra 10.13.2," but Siguza said that the vulnerability is still present and can be used in different ways. Siguza has successfully tested the PoC attack on High Sierra and concluded that the malicious code can work on other versions of macOS, or it can easily be adapted to the earlier version of macOS.

Nevertheless, even though IOHIDeous is a zero-day vulnerability for macOS, which can give an attacker inflated rights, run malicious code, or give root access, Siguza on Twitter stated that the vulnerability is not critical, since the vulnerability cannot be exploited remotely, and added:

use of the bug is very noticeable because lays the whole UI, etc.

Siguza also commented on Twitter why IOHIDeous details were published publicly on GitHub, and not sold to the Darknet or Bug Bounty program:

My goal was to write an article for ordinary people. I would not sell such information to hackers (blackhats) because I do not want to help crime.
I would send a report to Apple's Bug Bounty program if it included macOS or if the vulnerability could be exploited remotely.
But since It was impossible to do this, I decided that I just finished 2017 with a loud explosion - what then, but why not?
However, if I wanted to see the world on fire, I would write zero-day extortionists and not articles;)

How to protect yourself?

At the time of writing the original article and the translation, Apple did not give any answer regarding IOHIDeous or the patch to fix the vulnerability.