IOHIDeous Zero-day Vulnerability on MacOS

Two days ago, on the last day of 2017, a security researcher known under the alias of Siguza made a post about a very old MacOS/IOHIDFamily vulnerability that he found recently. The IOHIDFamily kernel driver is what handles different user interactions with the device (for instance, logging in or logging out). According to the post made by Siguza, the vulnerability goes a long way back in time – it is said to affect all Mac operating systems that have been released since 2002 and is related to the IOHIDFamily. The exploitation of the vulnerability, however, requires local access to the machine or at least previously established remote connection since it is a LPE (local privilege escalation)-related.

Apple wasn’t informed in advance about IOHIDeous

Something interesting to mention here is that Siguza made the post without previously informing Apple about the vulnerability which would given them the option to patch it out (or to at least begin the process of doing so) before it becomes public. In a tweet published yesterday, Siguza explains his reasoning as to why he didn’t initially send his report on IOHIDeous to Apple instead of directly making it public. According to the researcher, his main goal was to inform the users about the bug and that, since Apple’s bug bounty did not include macOS, there wasn’t a reason to send it to Apple first. Besides, the vulnerability doesn’t represent a high level of danger due to the local access/previously-established remote connection requirement. Siguza also mentioned that he had no interest in selling his discovery to hackers and only wanted to make sure that people got informed about the issue. Here is the original tweet from the researcher.

Possible consequences

As far as the IOHIDeous of vulnerability of the IOHIDFamily is concerned, it could supposedly allow an unauthorized user to gain full access to the targeted device. According to the detailed report by Siguza, the vulnerability is easy to exploit since it gets triggered by certain common user interactions such as logging off, rebooting, shutting down or any other form of operation that includes a logout. Through IOHIDeous, a hacker could gain root access to the device without the need to make use of any misleading social engineering schemes such as spam, malvertising or phishing.

There’s likely not going to be an emergency patch

Due to the holiday season and also, because the threat isn’t considered an emergency by Apple, there is probably not going to be a patch that will be focused on solely getting rid of the vuln. The main reason for the low emergency level of IOHIDeous is because of the LPE nature of the flaw. Therefore, users can expect it to be patched-out with the next regular security update that Apple issues each month.