Month in review: Apple security in December 2017

Posted on January 9th, 2018 by Joshua Long

The final month of 2017 has come and gone, and for those of us who love a good security story, December didn’t leave us disappointed. Read on for details about the top Apple-focused security news of the month.

“IOHIDeous” Mac Zero-Day Dropped New Year’s Eve

On New Year’s Eve, a security researcher going by the name Siguza publicly disclosed the full details of a local privilege escalation vulnerability that had allegedly been present in versions of macOS for at least the past 15 years.

In order for an attacker to take advantage of the bug (dubbed “IOHIDeous”), they would reportedly either need local access to a victim’s Mac, or to have previously compromised a victim’s Mac.

IOHIDeous logo. Image credit: Siguza

Once the bug has been successfully exploited, an attacker would gain root privileges—full administrative control over the victim’s Mac.

Although the flaw itself is entirely different, it’s similar to last month’s “I Am Root” vulnerability in the sense that it could allow a local attacker to gain root privileges on a victim’s Mac.

Apple will likely release a new version of macOS High Sierra that fixes IOHIDeous within the coming weeks.

It remains to be seen whether macOS Sierra or El Capitan will also receive updates. Older versions of macOS (OS X) are not expected to receive any security updates.

In short, if your Mac is capable of running macOS High Sierra (here’s how to find out), now’s a good time to upgrade.

Apple Updates Everything (Even AirPort)

Apple released security updates for virtually every one of its products during the month of December:

macOS High Sierra 10.13.2 (along with partial* updates for Sierra and El Capitan)
iOS 11.2 (and later 11.2.1)
tvOS 11.2 (and later 11.2.1)
watchOS 4.2
AirPort Base Station Firmware for supported models
iTunes 12.7.2 for Windows
iCloud for Windows 7.2

*As is often the case, Apple chose not to fix all of vulnerabilities in the two previous versions of macOS, Sierra and El Capitan. For example, Apple updated their support article in early January to reveal that the Meltdown vulnerability was only patched for macOS High Sierra, not for Sierra or El Capitan.

The most surprising update was new firmware for AirPort wireless base stations, which until December 12 had remained vulnerable to Broadpwn and KRACK, two serious vulnerabilities that had been known to the public for months.

See also our articles from earlier in December for further details on Apple’s security updates:

Apple Releases macOS 10.13.2 High Sierra, iOS 11.2 and More with Security Fixes

Apple Releases iOS 11.2.1, tvOS 11.2.1 and More with Security Fixes

OSX.Pirrit Adware/Malware Still Out There

On December 12, security researcher Amit Serper published a new report about OSX.Pirrit, dangerous Mac adware that has been around for a couple years and is still out there in the wild.

Serper reports that the latest version of OSX.Pirrit leverages AppleScript, a Mac scripting and automation technology. And, like previous versions of Pirrit, Serper says that the adware “[bombards] people with ads, it [spies] on them and runs under root privileges;” it has full control to do whatever it wants with a victim’s Mac.

I interviewed Serper about his research into OSX.Pirrit; you won’t want to miss the interview YouTube video in which we discuss Serper’s incredible adventures—including inadvertently discovering the exact names of the people who were behind the malware!

“I Am Root” Fixes May Have Left Users Vulnerable

Last month we had a featured story about the “I Am Root” vulnerability, whereby an attacker could enable the powerful root account on a victim’s Mac due to a programming error in macOS High Sierra. If you missed that story, you can learn more here:

“I Am Root”: a retrospective on a severe Mac vulnerability

Even as that article was being written, there were rumors about flaws in the way Apple released its security updates for High Sierra. It turned out that, although Apple had only stated that it would patch 10.13.1, Apple had also patched version 10.13—and if a user had gotten the automatic patch on 10.13, under certain conditions after upgrading to 10.13.1 their Mac might become vulnerable again.

By now, especially since 10.13.2 has subsequently been released, the vast majority of Internet-connected Macs running macOS High Sierra should be protected against the “I Am Root” vulnerability.

If you haven’t yet upgraded your Mac to macOS High Sierra version 10.13.2, you’ll want to do so as soon as possible, as it also includes a fix for the serious Meltdown vulnerability.

Other Security News, in Brief

There were other notable goings-on in the security world in December. Some highlights:

Four episodes of Intego’s Mac Security Podcast were published in December, with topics including the I Am Root vulnerability, a rushed iOS update, plus iOS backup strategies, “Tom Cruise is in every Starbucks” (safe online shopping, and the AirPort firmware update), and “Handcuffs Made of Tissue Paper” (search engine data collection, and differential privacy). Be sure to subscribe to make sure you don’t miss our future episodes, including our discussion of Meltdown!
AdThink and OnAudience advertisements may have pulled data from your browser’s password manager
A RootsWeb server exposed 300,000 Ancestry.com users’ data, including e-mail addresses and passwords
Mozilla Firefox collected crash data from users who hadn’t opted in; Mozilla will delete collected data just in case
ai.type, a popular third-party mobile keyboard, leaked personal data of over 31 million users — “While the app is available for both iOS and Android, the leaked data seems to relate only to Android users,” according to 9to5Google
A Google Android flaw lets hackers inject malware into apps without altering signatures
Samsung’s Android browser had a critical “same origin policy” bypass flaw
Microsoft issued an emergency Windows update for a critical vulnerability in its Malware Protection Engine
Windows 10‘s preinstalled password manager Keeper had a flaw that allowed hackers to steal passwords
HP notebooks’ keyboard driver discovered to include a keystroke logger
Huawei routers were compromised by “Satoshi,” a Mirai botnet variant; the code used in the zero-day attack was later made public
AMAG Technologies keyless entry door locks had flaws that could give attackers control
Fox-IT (a major security firm that has investigated several high-profile breaches) revealed that hackers hijacked its DNS records and spied on clients’ files back in September

Stay Tuned! Subscribe to The Mac Security Blog

Be sure to subscribe to The Mac Security Blog to stay informed about Apple security throughout each month.

If you missed our previous Apple security news roundups for 2017, you can check them out here.

Also, be sure to subscribe to our YouTube channel to get monthly updates in video form, and click on YouTube’s bell icon (?) so you’ll get notified when each new episode is available!
“I am root”/Groot cartoon image credit: Johnathon Burns modified by Gaël‏

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →

Share