Running a parser for a network protocol as root seems like a pretty unnecessarily dumb thing to do. I can't really imagine why any part of airplay would need to run as root; maybe something to do with DRM? Although the DRM daemon `fairplayd` runs as a limited-privilege user `_fpsd`, so maybe not. So bizarre that Apple makes all these cool systems to sandbox code, and creates dozens of privilege-separated users on macOS, and then runs an HTTP server doing plists parsing as an unsandboxed root process.

CVE-2025-24252 and CVE-2025-24132 are two examples. Doing a search for "Oligo" in release notes gives various other results, e.g.,

* https://support.apple.com/en-ca/122374

Apple fixed their stuff, but third-parties who used their SDK will have to issue updates as well.

macos is pretty promiscuous, and I've noticed random airplay displays (like the neighbors) showing up in the mirroring dropdown in the dock.

wonder if this is a way to get into the stack.

Very curious about the exploitation of CVE-2025-24252, a use-after-free (UAF) using which they achieved zero-click RCE on MacOS. This is inspite of ASLR and heap exploitation mitigations in place to mitigate such vulnerability classes

https://security.apple.com/blog/towards-the-next-generation-...

[dead]

Good thing I'm still on macOS 12