macOS Bug Yet Again Allows for Bypass of Security Protections
The latest in a line of ways to bypass Apple's security safeguards was disclosed at the Objective by the Sea conference over the weekend.
Acclaimed Mac researcher Patrick Wardle has yet again demonstrated a way to bypass security prompts on MacOS Mojave. The issues were believed to have been fixed previously by Apple but Wardle recently discovered that an attacker could still exploit a bug in Mac’s latest operating system, bypass its privacy features, and access much of a machine's data.
Wardle, who's also Chief Research Officer at Digita Security and the founder of Objective-See, a platform started to share free Mac security tools, shared the news over the weekend at Objective by the Sea – the second iteration of his Mac security conference – in Monte Carlo, Monaco.
The bug undermines a security feature that lets users grant permission to apps to access to sensitive data revealed by Apple’s senior vice president of Software Engineering Craig Federighi this time last year at the company’s Worldwide Developer's Conference. Not so coincidentally, Apple’s WWDC 2019 is slated to kick off today, Monday, and go through Friday.
The bug relies on generating synthetic clicks - a macOS feature that grants programs the ability to click interface objects, like buttons in an open window – to bypass security protections. The result? The bug could grant an attacker access to sensitive data like the camera, microphone, messages, and browsing history, and possibly - and this would be the worst case scenario - allow attackers to install a kernel extension.
According to WIRED, which was briefed prior to Wardle's talk on Sunday, the researcher discovered that he could modify programs preapproved by Apple to use synthetic clicks without requiring the user's approval to include his own malware. MacOS, upon verification, would assume that the tweaked program was legit and allow it to generate clicks as part of a synthetic click attack.
Wardle told conference attendees that Apple verifies whether apps are authentic by cross-referencing its legitimate cryptographic key via a whitelist - part of Apple's Transparency, Consent, and Control (TCC) database - it just doesn't conduct a secondary check to determine the validity of the program.
Wardle started poking around what the TCC database can and can't do after reading a 2018 blog post by Dr. Howard Oakley, a blogger who writes about Macs - and painting - at The Eclectic Light Company.
In his presentation Wardle used VLC, the popular open source media player, and a malicious plugin to show how he could trick Apple's TCC database into permitting an attack without a user's permission.
As WIRED points out, an attacker would have to already have access to a machine, or trick a user into installing a malicious attachment, perhaps with a phishing email, to gain access to a machine to exploit the vulnerability and carry out an attack. Wardle reportedly informed Apple of the bug last week but the company has yet to push a patch.
When the agenda for Objective by the Sea was disclosed last week, Wardle teased that he'd be presenting on a "powerful zero day in macOS Mojave." It wasn't clear at the time that the bug would be an extension of his previous work. Wardle previously demonstrated how Apple's protections around synthetic events could be bypassed last year, at the SyScan security conference in Singapore in March, and at DEF CON 26, in Las Vegas, in August.
This is technically the fourth synthetic click vulnerability that Wardle has uncovered, following CVE 2015-5943 - which affected OSX El Capitan, CVE 2017-7150 - which affected OSX High Sierra, and last year's which didn't receive a CVE.