Apple Mac zero-day flaw found that can bypass security with 'synthetic clicks'
MacOS zero-day flaw bypasses security protections to take advantage of 'synthetic events' automation feature
A new zero-day security flaw affecting Apple's MacOS Mojave operating system can bypass security protections with ‘synthetic clicks' to automatically install.
The security flaw was revealed by noted Apple security research Patrick Wardle at the Object by the Sea security conference in Monaco over the weekend.
The operating system checks the existence of an app's digital certificate, but fails to validate if the app has been tampered with
Synthetic clicks effectively approve actions by the operating system without user input.
They take advantage of ‘synthetic events', a MacOS automation feature, intended to improve accessibility, that enables applications to automate inputs, such as mouse clicks and keystrokes. Synthetic events can be invoked via either the Mac's Core Graphics framework or AppleScript.
Cloud & Infrastructure Live 2019 returns to London on 19th September 2019. Learn about the latest technologies in cloud, how to keep one step ahead of the regulators, and network with an audience of IT leaders and senior IT pros. The event will include keynotes, panel discussions, case studies, and strategic and technical streams. Best of all, the event is FREE to qualifying attendees. Secure your place now.
Attending Cloud & Infrastructure Live 2019 already? Why not enter the Computing Cloud Excellence Awards that will be celebrated in the evening, too?
The feature can only be used by Apple-approved apps in order to prevent its adoption by malware writers.
It's not the first time that synthetic events in MacOS have been exploited by malware writers. Wardle has previously disclosed a number of security flaws affecting the feature, while Apple has introduced some countermeasures to prevent abuse. However, Wardle claims to have found a new critical security flaw in MacOS Mojave enabling malware to virtually ‘click' the built-in security prompt for new applications without any user interaction.
According to Hacker News, "there is a validation flaw in the way MacOS checks the integrity of whitelisted apps. The operating system checks the existence of an app's digital certificate, but fails to validate if the app has been tampered with".
The attacker could bring one of the whitelisted apps to the system and run it in the background, to generate clicks
Wardle told Hacker News: "The system attempts to verify/validate that these allowed whitelisted apps haven't been subverted - but their check is flawed, meaning, an attacker can subvert any of these, and add/inject code to perform arbitrary synthetic clicks - for example, to interact with security/privacy alerts in Mojave to access user's location, the microphone, webcam, photos, SMS/call records."
The whitelisted apps, he added, "don't have to be present on the system. The attacker could bring one of the whitelisted apps to the system (perhaps pre-subverted) and run it in the background, to generate clicks".
Wardle demonstrated the newly discovered security flaw at the event over the weekend, abusing the widely used VLC Player - an Apple approved app - to approve malware as an unsigned plugin, using synthetic clicks to automatically install the malware without the user's intervention.
However, Wardle added, an attacker would already need to have some form of remote access to a targeted Mac in order to kick-off the process. The findings of Wardle's research were reported to Apple last week.
Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.
The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.
Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast