A researcher has revealed a zero-day flaw in Apple’s Mojave operating system tied to the way the OS verifies apps. The bug allows attackers to sneak past macOS security measures and run whitelisted apps that have been manipulated to run malicious code.
macOS researcher Patrick Wardle revealed the flaw Monday, describing the exploitation of the bug as a second-stage attack method allowing an adversary to cloak further exploitation of a targeted system using a technique called synthetic mouse clicks. He said the bug shines a bright light on the fact Mojave’s application verification mechanism is “100 percent broken.”
Wardle, who is chief research officer at Digita Security and founder of Mac security company Objective-See, revealed the vulnerability at a security conference, Objective By The Sea, on Monday.
“Synthetic mouse clicks give an attacker an incredibly powerful capability,” he said. “In Mojave, Apple released a myriad of new privacy and security features that will block suspicious activity and display a pop-up requiring the user to allow an action. The goal of my research was to bypass all those new security and privacy mechanisms.”
The attack ultimately allows for an attacker to trigger synthetic mouse clicks on Mojave that, unknown to the end user, approve malicious behaviors such as turning on a targeted system’s microphone or disclosing the GPS coordinates of a user’s computer.
“In Mojave, Apple has added a number of security provisions to prevent users from installing malicious apps and preventing installed apps from risky behavior,” he said. “Mostly, Apple does this by prompting a user with a dialogue box either granting or denying permission.”
What Wardle found was a small cache of applications that are so popular and apparently trusted by Apple users they don’t require any “allow” or “deny” security dialogue box before installing. One of those apps is the VLC media player.
In a proof-of-concept attack, Wardle showed how a malicious version of VLC could be secretly installed on a targeted system in a post-exploitation attack scenario. Because Apple “trusts” VLC, the adversary can manipulate the application’s code to perform a malicious act, such as turning on the targeted system’s microphone. To avoid a user seeing this action on their computer screen, the attack would only perform synthetic mouse clicks when the targeted system’s display went into “sleep” mode.
“This is a second-stage payload, which an attacker can use to control already-infected systems remotely,” he said. “If an attacker has already installed a backdoor on a system and then a week later they want to access the target’s photos, Mojave will block this action by the OS via a ‘deny’ and ‘allow’ dialogue.” Synthetic mouse clicks circumvent those restrictions.
This is the fourth time Wardle has revealed a way hackers can exploit synthetic mouse clicks on Apple systems to bypass security measures. Last year at DEFCON 2018, he revealed a similar zero-day bug that allowed a local attacker to virtually “click” a security prompt and load a kernel extension on systems running Apple’s latest High Sierra operating system.
Apple’s response to Wardle’s 2018 attack was to enhance the security of macOS by introducing a new security feature, named “User Assisted Kernel Extension Loading,” which requires users to manually approve the loading of any kernel extension by clicking an “allow” button in the system’s security settings UI.
In versions of macOS High Sierra, Apple as began filtering (and selectively ignoring) synthetic events in order thwart this class of attacks and protecting security alerts. Moreover, in Apple’s macOS, Mojave, it chose to simply block all synthetic events.
“After I reported this bug to Apple after my DEFCON, I would have hoped that Apple would have fix this vulnerability comprehensively,” Wardle said. “This is frustrating as a researcher to continually find ways to bypass Apple’s protections… I would be naïve to think that there are no other hackers or sophisticated adversaries that have also found similar holes in Apple’s defenses.”