Security research and former NSA staffer Patrick Wardle says that he will demonstrate on Sunday a set of automated attacks against macOS High Sierra, in which he is able to bypass security checks.
The checks are ones that ask the user to confirm that an app should be granted permission to do things like access contacts or location data …
He was quick to point out that the exploits would not allow an attacker initial access to a Mac. But it would effectively get around Apple’s sandboxing, to allow one malicious app to gain additional permissions.
Wired reports that the exploits rely on what’s known as ‘synthetic clicks,’ in which rogue code mimics a user clicking a button to grant a permission.
Wardle had previously achieved the same thing using accessibility features. Apple issued a patch to block this, and he then discovered a further workaround. Wardle says the greatest risk is that one rogue app can now potentially use this technique to take control of the kernel – something which ought to be impossible.
“The user interface is that single point of failure,” says Wardle, who now works as a security researcher for Digita Security. “If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.”
It appears that the exploits are patched in Mojave.
“A lot of advanced malware really tries to get into the kernel. It’s like god mode,” Wardle says. “If you can infect the kernel, you can see everything, bypass any security mechanism, hide processes, sniff user keystrokes. It’s really game over.”
Apparently this is fixed in Mojave — synthetic events are not allowed in Mojave without user approval for the app that wants to post them. https://t.co/NntzcmB6uo
— John Gruber (@gruber) August 13, 2018
Some are reporting that Apple also seems to be attempting to block synthetic clicks in macOS 10.13.6, though the extent to which this is successful is as yet unclear. We should learn more on Sunday.