• The bug was found on Mac OS 9, which was released in 1999 and could be leveraged to target modern Apple systems.
  • It could allow an attacker to have full access and control of the victim’s computer.

Tech giant Apple has patched a security bug that existed for almost 20 years in its operating systems. The vulnerability was discovered by Joshua Hill, security researcher and chief risk officer (CRO) at Guardian. Hill found this flaw twenty years ago on Mac OS 9, which was released in 1999, that could be exploited in a service called Apple Remote Access meant for setting dial-up connections.

It has been reported that Apple patched this flaw in April.

Worth noting

  • The flaw can allow an attacker to obtain remote access to any Mac and have complete control over the system.
  • An article on WIRED tells that an exploit developed by Hill can be used on certain generations of macOS (until macOS Sierra).
  • The exploit revolves around an Apple software component known as CCLEngine, which is used to establish data links between computers. Hill found out that authentication mechanism in CCLEngine could be remotely bypassed and can be used to establish a remote connection between computers. Following this, a communication socket can be accessed which can be exploited to execute remote code.

Result of bad coding practice

Hill suggests that the flaw was the result of shoddy code. “It’s very bad programming practice, but this is very, very old code. I’m assuming this is why it has never been seen, though, because you can’t go in and see the crashes," Hill told WIRED.

The researcher presented this bug at the Objective by the Sea conference that was held on Sunday.

Cyware Publisher