Zero-Day Flaw in Mojave
A researcher has revealed a zero-day flaw in Apple's Mojave operating system tied to the way the OS verifies apps. The bug allows hackers to sneak past macOS security measures and run whitelisted apps that have been manipulated to run malicious code. Patrick Wardle revealed the flaw describing the exploitation of the bug as a second-stage attack method allowing a hacker to hide exploitation of a targeted system using a technique called synthetic mouse clicks. He said the bug shines a bright light on the fact Mojave's application verification mechanism is broken. Wardle, who is chief research officer at Digita Security and founder of Mac security company Objective-See, revealed the vulnerability at a security conference, Objective By The Sea
Synthetic mouse clicks give a hacker an incredibly powerful capability. In Mojave, Apple released a slew of new privacy and security features that will block suspicious activity and display a pop-up requiring the user to allow an action. The attack allows for a hacker to trigger mouse clicks on Mojave that, unknown to the end user, approves malicious behaviors such as turning on a targeted system's microphone. In Mojave, Apple has added a number of security provisions to prevent users from installing malicious apps and preventing installed apps from risky behavior. Mostly, Apple does this by prompting a user with a dialogue box either granting or denying permission.
Wardle found a small cache of applications that are so popular and trusted by Apple users they don't require any security dialogue box before installing. One of those apps is the VLC media player. In a proof-of-concept attack, Wardle showed how a malicious version of VLC could be secretly installed on a system in a post-exploitation attack scenario. Because Apple trusts VLC, the hacker can manipulate the application's code to run malicious code, such as turning on the targeted system's microphone. To avoid a user seeing this action on their computer screen, the hacker would only perform synthetic mouse clicks when the targeted system's display went into sleep mode.
A hacker can use it to control already-infected systems remotely. If a hacker has already installed a backdoor on a system and then a week later they want to access the target's photos, Mojave will block this action by the OS via security dialogue. Synthetic mouse clicks circumvent those restrictions.
This is the fourth time Wardle revealed a way hackers can exploit synthetic mouse clicks on Apple systems to bypass security measures. Last year at DEFCON 2018, he revealed a similar zero-day bug that allowed a local hacker to click a security prompt and load a kernel extension on systems running Apple's latest High Sierra operating system.
Apple enhanced the security of macOS by introducing a new security feature, named User Assisted Kernel Extension Loading, which requires users to manually approve the loading of any kernel extension by clicking an allow button in the system's security settings UI. In versions of macOS High Sierra, Apple as began filtering and selectively ignoring synthetic events in order to thwart this class of attacks and protecting security alerts. In Apple's macOS, Mojave, it chose to simply block all synthetic events.