A ZERO-DAY FLAW affecting macOS Mojave can bypass security protections with 'synthetic clicks' to automatically install.
Synthetic clicks effectively approve actions by the operating system without user input. They take advantage of ‘synthetic events', a macOS automation feature intended to improve accessibility that enables applications to automate inputs such as mouse clicks and keystrokes. Synthetic events can be invoked via either the Mac's Core Graphics framework or AppleScript.
The feature can only be used by Apple-approved apps in order to prevent its adoption by malware writers.
It's not the first time that synthetic events in macOS have been exploited by malware writers. Wardle has previously disclosed a number of flaws affecting the feature, while Apple has introduced some countermeasures to prevent abuse.
However, Wardle claims to have found a new critical security flaw in macOS Mojave enabling malware to virtually ‘click' the built-in security prompt for new applications without any user interaction.
According to Hacker News, "there is a validation flaw in the way macOS checks the integrity of whitelisted apps. The operating system checks the existence of an app's digital certificate, but fails to validate if the app has been tampered with".
Wardle told Hacker News: "The system attempts to verify/validate that these allowed whitelisted apps haven't been subverted - but their check is flawed, meaning, an attacker can subvert any of these, and add/inject code to perform arbitrary synthetic clicks - for example, to interact with security/privacy alerts in Mojave to access user's location, the microphone, webcam, photos, SMS/call records."
The whitelisted apps, he added, "don't have to be present on the system. The attacker could bring one of the whitelisted apps to the system (perhaps pre-subverted) and run it in the background, to generate clicks".
Wardle demonstrated the newly discovered security flaw at the event over the weekend, abusing the widely used VLC Player - an Apple-approved app - to approve malware as an unsigned plugin, using synthetic clicks to automatically install the malware without the user's intervention.
However, Wardle added, an attacker would already need to have some form of remote access to a targeted Mac in order to kick-off the process. The findings of Wardle's research were reported to Apple last week. µ
Slack, hack and crack
A flaw in the protocol affects iOS, macOS and Windows 10
Wig wearer has issue with non-wig-wearer