On New Year's Eve, a security researcher going by Siguza decided to drop a macOS zero-day exploit without giving Apple a heads-up warning to fix the flaw.\u201cWoah. One tiny, ugly bug. Fifteen years. Full system compromise,\u201d the self-described \u201chobbyist hacker\u201d said in highly-detailed \u201cIOHIDeous\u201d write-up about the bug that has been lurking for at least 15 years and affects all Mac operating systems.\u201cA macOS kernel exploit based on an IOHIDFamily 0day,\u201d he added in the proof-of-concept zero-day code published on GitHub.While the vulnerability is now in the wild, the bug is a local privilege escalation (LPE) flaw that can be exploited\u00a0only if an attacker has local access to the Mac \u2014\u00a0or previously pwned the computer. However, exploiting it would give an attacker root access.Siguza\u2019s announcement set off a flurry of New Year\u2019s Eve fireworks on Twitter.When asked why he didn't sell the exploit to either governments or black hats, Siguza tweeted:My primary goal was to get the write-up out for people to read. I wouldn\u2019t sell to black hats because I don\u2019t wanna help their cause. I would\u2019ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.Since neither of those were the case, I figured I\u2019d just end 2017 with a bang because why not. But if I wanted to watch the world burn, I would be writing 0day ransomware rather than write-ups ;)Bug allows root access to MacsThe bug, which has been around in macOS for more than a decade, could allow an attacker to get root access. But first, the user has to log out. Siguza suggested the possibility of an attacker using a \u201csleeper program\u201d that would trigger when a user logs off, reboots or shuts down the Mac.Under the header of \u201cwreaking havoc,\u201d Siguza noted, \u201cGetting root is trivial with ROP.\u201d While they are at it, attackers could disable the protections afforded by System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI), and install a root shell.As previously noted, the write-up about the zero-day is extensive and detailed. Not everyone grasped the actual flaw, so when asked for a tldr explanation, Siguza replied:Any user on the machine -> full system compromise.When the discussion rolled around to the name-blame-shame game, Siguza said he didn\u2019t look for and release the flaw \u201cout of hate,\u201d but \u201cout of love\u201d for the \u201ccraft of hacking.\u201d Although he does not claim to be a white hat, if he wanted to actually hurt people, he would have \u201cfound some remotely triggerable vuln, written some ransomware worm and not done a write-up on it.\u201dNevertheless, some folks were not happy with Siguza. To those people, he responded:People mad at me for dropping a 0day and making them vulnerable: what\u2019s your threat model?If it\u2019s script kiddies, you\u2019re safe because it's just a LPE and nothing remote. If it\u2019s people who can get remote code exec, what makes you think they don\u2019t have kernel r\/w as well anyway?