With just two lines of code, a researcher has managed to bypass the macOS security dialogs by virtual clicks, compromising their security by loading kernel extensions. Last week we talked about a vulnerability that could be solved by upgrading to High Sierra 10.13.6, but this time we are talking about a zero-day vulnerability present in that version of the operating system.
Using this method an attacker could gain access to the Kernel of the operating system, which would give him access to the entire system, and would allow to completely compromise the equipment of a user. Apple has tried several methods to block this type of virtual or invisible clicks to bypass security measures, but as Patrick Wardle, director of research at Digita Security, at Defcon in Las Vegas, has discovered, these measures have not been enough.
As explained in Threat Post, macOS has a system to avoid the unwanted loading of Kernel extensions by showing the user a dialog to answer whether or not the software has permission to access the necessary data.
And what Wardle has done is find a method to answer that question automatically without the user’s permission. Once achieved, it would have the ability to access data such as contacts, the user’s location or all the keys stored in the operating system. Also, to avoid being discovered these clicks could be made when the user is not looking at the screen.
And how did he achieve it? Well, making a fool of himself, as he himself said, he discovered that macOS High Sierra interprets two synthetic events “downwards” as a manual approval of the permission dialogue. Therefore, with only two lines of code in a malware to add that gesture would be enough to bypass the security of the operating system.
A mistake discovered by chance
“I was making a fool of myself with this feature: I copied and pasted the code of a synthetic mouse twice accidentally, forgetting to change the value of an indicator that would indicate a mouse event” up. “Without realizing my “error”, I compiled and executed the code, and honestly I was quite surprised when it generated a synthetic click allowed,” explained Wardle during the conference.
“For some unknown reason, the two synthetic mouse events ‘down’ confuse the system and the operating system sees it as a legitimate click,” he explained. “This completely breaks a fundamental safety mechanism of High Sierra.”
The loading of extensions for the Kernel was added in High Sierra, so as explained by the researcher, this vulnerability only affects the latest version of macOS. In addition, there is the fact that in order to execute this command, the malware must already be on the computer, so in order to take advantage of the vulnerability, the user must still be tricked before doing the same with the system.
Although Wardle has ensured that it is such a basic error that even he is ashamed to talk about it, we must not forget that these types of discoveries are really useful. In addition, by exposing them at a conference at this level, hackers make sure that companies like Apple are aware of these errors, so that they can easily solve them.
The logical thing in cases like this would be that in the coming weeks Apple will launch some kind of solution with which to patch this vulnerability. In any case, the security recommendation remains the same as with any other operating system that of not downloading executable whose origin is not clear to avoid any type of infection.