On the very last day of 2017, a macOS security flaw that is claimed to apparently exist for the last 15 years was discovered by a security researcher. From his own Twitter account, Siguza, the researcher, posted, “Woah. One tiny, ugly bug. Fifteen years. Full system compromise.” Though Siguza has yet to officially warn Apple about it, he claims that it is exploitable only if local access to the Mac exists. He found it in the “IOHIDFamily” component of the software. According to Siguza, full system privileges can be gained using the bug. He has published a detailed description of the flaw in his GitHub profile.
If his claims are true, it can affect all existing Mac operating systems(macOS), though the flaw cannot be remotely exploited. Siguza also clarified on Twitter that he does not possess any sort of ill intent in disclosing the vulnerability. He explained on Twitter, “If I had actually wanted to hurt anyone, I would’ve found some remotely triggerable vuln, written some ransomware worm and not done a write-up on it. Not claiming to be a white-hat or anything, but just sayin…”
The flaw is very much exploitable by hackers and can be used to take over a Mac. The bug gets triggered by itself as soon as the system logs outs. Siguza gave an example where a Mac, containing the malware is seen being exploited by waiting till it is rebooted or shut down. Apple is yet to make any official public announcement on the issue.