In macOS Mojave, Apple introduced a new set of security and privacy controls meant to restrict application access to system resources, files, and utilities, even if an attacker has malware on a machine. But a security researcher has discovered a serious issue with the way Mojave handles the verification of apps and developed a simple method for subverting the system to run modified or malicious apps.
The problem is in the way that Mojave handles so-called synthetic clicks, or clicks that aren’t actually generated by the computer’s mouse or trackpad. Over the last few years, Apple has tried to eliminate the ability of apps to send synthetic clicks to the user interface because they can be used to take actions without the user’s consent, such as clicking on dialog boxes. In Mojave, synthetic clicks are essentially off-limits to all apps, but researcher Patrick Wardle of Digita Security found that there is a small whitelist of apps that are still permitted to generate synthetic clicks.
In order to ensure that the apps in that whitelist are what they say they are, Apple checks the code-signing information for those apps before allowing them to run. However, Wardle found that check isn’t performed correctly and an attacker could take advantage of that to get a modified version of one of the apps to run. An attacker would need to already have compromised or have local access to a machine in order to take advantage of this vulnerability, Wardle said.
“In Mojave apple locks programs from being able to send synthetic clicks. It turns out it’s not fully true because there’s an undocumented whitelist of apps and any of those can send synthetic clicks. It appears to be popular apps that Apple wanted to allow for compatibility reasons,” Wardle said.
“There’s code signing info in the whitelist. The way they perform the validation is incomplete, so a local attacker without any special privileges could use one of the apps in the whitelist and add some code to it and generate synthetic clicks and run it. The system would see this and check what program it was and allow it because it’s on the whitelist and not check if it’s been messed with.”
“This wasn’t an incredibly complex or subtle bug to find. I keep having to report these to them.”
Wardle revealed the vulnerability at the Objective By the Sea Mac security conference in Monaco this weekend and he likened the weakness to a crummy security check at an airport.
“The analogy I like to use is it’s like if I book a flight under my name and I get to the airport and when I get to TSA I just hold up a piece of paper with my name written on it,” he said. “Apple isn’t actually checking that it’s a valid ID.”
Wardle reported the vulnerability to Apple recently and he said a patch is in the works, but there’s no indication of when it may be released. He has reported similar synthetic click problems to the company in the past, but a comprehensive fix hasn’t happened yet.
“The frustration is that they seem to be unable to completely fix this. While they’re touting all these security and privacy features, they still haven’t implemented this completely,” he said. “This wasn’t an incredibly complex or subtle bug to find. I keep having to report these to them.”
If an attacker was able to exploit this issue, he could bypass the various security mechanisms that prevent unauthorized apps from gaining access to things such as the microphone or the webcam.
“Apple has added all these secondary security mechanisms where the assumption is that the user is already infected. This breaks all of that,” he said.