Security research and former NSA staffer Patrick Wardle says that he will demonstrate on Sunday a set of automated attacks against macOS High Sierra, in which he is able to bypass security checks.
The checks are ones that ask the user to confirm that an app should be granted permission to do things like access contacts or location data …
He was quick to point out that the exploits would not allow an attacker initial access to a Mac. But it would effectively get around Apple’s sandboxing, to allow one malicious app to gain additional permissions.
Wired reports that the exploits rely on what’s known as ‘synthetic clicks,’ in which rogue code mimics a user clicking a button to grant a permission.
At the DefCon hacker conference Sunday in Las Vegas, Wardle plans to present a devious set of automated attacks he’s pulled off against macOS versions as recent as 2017 release High Sierra, capable of so-called synthetic clicks that allow malware to breeze through the permission prompts meant to block it. The result could be malware that, once it has found a way onto a user’s machine, can bypass layers of security to perform tricks like finding the user’s location, stealing their contacts or, with his most surprising and critical technique, taking over the deepest core of the operating system, known as the kernel, to fully control the computer.
“The user interface is that single point of failure,” says Wardle, who now works as a security researcher for Digita Security. “If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.”
Wardle had previously achieved the same thing using accessibility features. Apple issued a patch to block this, and he then discovered a further workaround. Wardle says the greatest risk is that one rogue app can now potentially use this technique to take control of the kernel – something which ought to be impossible.
If malware can use that trick to install a kernel extension, it can often exploit that added code to gain full control of a target machine. Kernel extensions—like drivers in Windows—must be signed by a developer for MacOS to install them. But if an existing signed kernel extension has a security flaw, a piece of malware can install that extension and then exploit its flaw to take control of the kernel.
“A lot of advanced malware really tries to get into the kernel. It’s like god mode,” Wardle says. “If you can infect the kernel, you can see everything, bypass any security mechanism, hide processes, sniff user keystrokes. It’s really game over.”
It appears that the exploits are patched in Mojave.
Apparently this is fixed in Mojave — synthetic events are not allowed in Mojave without user approval for the app that wants to post them. https://t.co/NntzcmB6uo
— John Gruber (@gruber) August 13, 2018
Some are reporting that Apple also seems to be attempting to block synthetic clicks in macOS 10.13.6, though the extent to which this is successful is as yet unclear. We should learn more on Sunday.