New macOS bug allows for full system compromise – if attacker has physical access

News
By published

Vulnerability dates back to 2002, rather staggeringly

Another hole has been found in macOS, with the flaw being revealed by a security researcher (or ‘hobbyist hacker’, as his Twitter profile notes) as the New Year rolled around – hardly the start to 2018 Apple would have wanted.

The researcher who goes by the name of Siguza said that the zero-day flaw seems to have been present in Apple’s desktop operating system since as far back as 2002.

It allows any user to gain full control of a Mac computer, but not remotely – an attacker will need physical access to the machine in question. In that case, they can use this local privilege escalation bug to get root permissions and execute arbitrary code, as Wccftech.com reports.

Furthermore, the exploit isn’t very sophisticated or stealthy, and will log the user out. Siguza observed: “Needs to be running on the host already (nothing remote), achieves full system compromise by itself, but logs you out in the process.

“Can wait for logout though and is fast enough to run on shutdown/reboot until [macOS] 10.13.1. On 10.13.2 it takes a fair bit longer (maybe half a minute) after logging out, so if your OS logs you out unexpectedly… maybe pull the plug?”

Embarrassing episode

Note that this vulnerability apparently affects all versions of macOS, and while it may not be particularly sophisticated, it’s still worrying. Particularly coming after the much-publicized login bug in High Sierra which emerged last November, although that was an entirely more embarrassing affair given how basic the security flaw was (you could log onto any Mac simply by using ‘root’ as the username, with nothing in the password field).

Clearly, though, this is the last thing Apple needed to kick-off 2018 with. Even if it is a rather clunky exploit which requires physical access to the PC in question, it still allows for a full system compromise – and most worryingly it’s a bug which has apparently been present in Apple’s desktop OS for a decade and a half, or thereabouts.

Apple is working on a patch right now, according to the report, so we should hopefully see that come through the pipeline pretty sharpish.

  • A couple of Apple’s MacBooks make our list of best laptops
See more Computing News
TOPICS
Darren Allan

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).

Latest in macOS
macOS Catalina
A secret project, a stubborn developer, and a lot of glossy icons: here's the story behind macOS’s Dock as it turns 25
A woman sitting on a couch cross-legged and using a laptop
Essential apps and features to start getting the most out of your brand-new Mac
A woman sitting at a table with various objects on it, including a MacBook, a mug, a book, an opened notebook, and holding her head with her hands as if in frustration
It looks like macOS Sequoia 15.2 update breaks third-party bootable backups - and that has me worried
Genmoji Cowboy Frog Apple Intelligence
macOS Sequoia 15.3 beta brings Genmoji to Mac, allowing you to serve up custom emojis that really represent you
Person using a MacBook sat on sofa
Your Mac’s menu bar will finally get a weather widget in macOS Sequoia 15.2 – plus these Apple Intelligence features
The Apple Magic Mouse on a white surface next to the Magic Keyboard.
Planning to buy Apple’s new USB-C Magic accessories? Make sure you’re running macOS Sequoia 15.1 first
Latest in News
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
More about mac os
macOS Catalina

A secret project, a stubborn developer, and a lot of glossy icons: here's the story behind macOS’s Dock as it turns 25
A woman sitting on a couch cross-legged and using a laptop

Essential apps and features to start getting the most out of your brand-new Mac
The iPhone 16 Pro Max and Samsung Galaxy S25 Ultra

5 things I want from the iPhone 17 – or I’m out and back to Android
See more latest
Most Popular
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it
SDUNITED AX835-025FF mini PC
This mini PC with the incredible Strix Halo APU is yet another sign AMD may have given up on big brands for bleeding edge tech
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space