macOS Mojave bug lets attackers bypass security features
Former National Security Agency hacker and now chief research officer at Digita Security, Patrick Wardle, has uncovered a vulnerability in macOS Mojave that could enable attackers to bypass part of the operating system’s built-in security features.
These features were designed to make it harder for malicious applications to access a user’s private information, such as contacts, location and messages, unless the user clicks ‘allow’ on a pop-up window.
In addition, they were supposed to prevent applications from turning on the Web cam and microphone without the user’s consent.
However, the ‘allow’ boxes can be subverted via a maliciously manufactured click.
In the past, fake or ‘synthetic’ clicks could be created by using the operating system’s built-in automation feature AppleScript, or by employing mouse keys, which enable users and malicious code to control the mouse cursor from the numeric pad on the keyboard.
This vulnerability was fixed in prior versions of macOS, and Apple’s security blocked all fake clicks, meaning the user had to physically click on a button.
During the “Objective by the Sea” Mac security conference in Monaco two days ago, Wardle revealed the bug, and said: “Synthetic mouse clicks give an attacker an incredibly powerful capability. In Mojave, Apple released myriad new privacy and security features that will block suspicious activity and display a pop-up requiring the user to allow an action. The goal of my research was to bypass all those new security and privacy mechanisms.”
Wardle found a whitelist of approved macOS applications that are highly popular and trusted by Apple users, and require neither an “allow” nor a “deny” security dialogue box before installing. One of those apps is the VLC media player.
Apps are usually signed with a digital certificate to prove the app is legitimate and has not been tampered with. If the app has been altered to include malware, the certificate would flag an error and the OS will not run the app. However, a bug in the code meant macOS was only checking if a certificate exists, instead of properly verifying the authenticity of the whitelisted app.
Wardle demonstrated in a proof-of-concept attack how a malicious version of VLC could be covertly installed on a targeted system.
Because VLC is ‘trusted’ by Apple, an attacker can manipulate the application’s code to perform a malicious act, such as turning on the target system’s microphone or Web cam. To ensure the user is unaware of this action, the attack would only perform synthetic mouse clicks when the system’s display went into ‘sleep’ mode.
“The only thing Apple is doing is validating that the application is signed by who they think it is,” he said.