Apple is generally considered reliable in making safe and secure software. It is widely believed that the company works really hard to make the defense mechanism of its OS and devices strong enough to evade malware infections and another malicious coding.
However, days of blindly trusting any firm including Apple are long gone..or so it seems. According to an ex-NSA (National Security Agency) hacker and macOS security expert, there is a dangerous flaw in macOS that can potentially render all the secondary defenses useless.
At the Defcon hacker convention, Patrick Wardle gave a presentation regarding how an attacker can bypass most security mechanisms implemented by Apple to safeguard macOS. Wardle explained that malware can evade security methods by targeting them at the UI (user interface) level.
It is worth noting that user warnings are those ubiquitous defenses in an OS that is responsible for prompting the user to allow or deny permission for any action to take place. It serves as a defense mechanism against rogue clicks that may accidentally install software or grant it new permissions.
Wardle claims that it is possible to exploit these user warnings by modifying the way macOS converts keyboard presses into mouse clicks. Since macOS interprets two mouse-down actions as equivalent to clicking OK, therefore, it is possible to write an extra line of codes to avoid a user warning to appear.
In normal circumstances, whenever a malicious activity is detected by these security mechanisms, the action is immediately blocked and an alert/warning is displayed. However, by abusing the numerous programming UI of the macOS a programmatic click can be generated by malicious code to dismiss these alerts.
This programmatic click, which Wardles referred to as the Synthetic Click, immediately performs the task without even alerting the user. Synthetic clicks basically are rogue codes that replicate the act of clicking a button that grants permissions to any app. Reportedly, Apple will now be blocking synthetic clicks in macOS 10.13.6.
From my @DefCon talk:
Apple's "User Assisted Kext Loading" is huge PITA for 3rd-party devs/breaks apps…but hackers can bypass trivially 😭//0day bypass
// 2x 🐭⬇️ on 'Allow' btn
CGPostMouseEvent(point, true, 1, down);
CGPostMouseEvent(point, true, 1, down);…blog soon📝 pic.twitter.com/PZESutEsaO
— Patrick Wardle (@patrickwardle) August 13, 2018
Wardle will be demonstrating a series of automated attacks against the macOS High Sierra. He will be proving how easy it is to bypass security checks in macOS. These checks are required to allow apps to get permissions from the user to perform certain tasks such as accessing location data or contacts.
During his presentation at the conference in Las Vegas, Wardle stated that these exploits won’t allow a hacker initial access to Mac device but can effectively exploit sandboxing. This would let any malicious app to get higher level permissions.
Apple, on the other hand, has vowed to fix all the issues pertaining to UI exploitation in the upcoming version of the operating system, macOS Mojave.