Tampering with two lines of code unveiled a serious bug which could lead to full system compromise.
This article originally appeared on ZDNet.
A security researcher uncovered a zero-day in Apple software by tweaking a few lines of code. Speaking at Defcon in Las Vegas last week, Patrick Wardle, Chief Research Officer of Digita Security, described his research into "synthetic" interactions with a user interface (UI) that can lead to severe macOS system security issues.
Synthetic events are when attackers can virtually "click" objects in order to load code without user consent. If a threat actor is able to "click" a security prompt and load a kernel extension, this could lead to the full compromise of an operating system.
"Via a single click, countless security mechanisms may be completely bypassed," the researcher says. "Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed."
SEE: Information security policy (Tech Pro Research)
While some users may stop these kinds of attacks when warning dialogue appears, Wardle says that it is possible to synthetically generate clicks silently and in an invisible way — a concept which the researcher says results in "everything pretty much go[ing] to hell."
The vulnerability at the heart of the issue is CVE-2017-7150, a bug impacting modern versions of Apple macOS software before version 10.13.
The macOS security flaw allowed unprivileged code to interact with any UI component including 'protected' security dialogues, leading to the bypass of the keychain access prompt and password exfiltration.
However, a new zero-day security flaw was stumbled upon after tampering with two lines of code in Apple's macOS UI despite the iPad and iPhone maker's attempts to mitigate the bug, according to ThreatPost.
Apple is aware of synthetic events as an attack vector and issued an update called "User Assisted Kernel Extension Loading (Kext)" in an attempt to mitigate the design problem and subsequent avenues for attack.
This feature requires users to manually click a "allow" button for the loading of kernel extensions.
However, Wardle says that this redesign of the UI ultimately failed and the new zero-day is based on the macOS High Sierra's incorrect interpretation of software events based on an incomplete patch.
The researcher says that bypassing Kext protections was "trivial," and the zero-day bug permits unprivileged code usage in order to "post synthetic events and bypass various security mechanisms on a fully patched macOS box."
The problem lies in the approval, or rejection, of synthetic events in the latest version of macOS. When two synthetic "down" events run, High Sierra interprets the attack as a manual approval via one "down" and one "up" click, which gives attackers a path straight to system compromise.
Wardle told attendees that the bug was found by accident as he copied and pasted code, setting the script to click a synthetic mouse "down" twice without meaning to.
"Two lines of code completely break this security mechanism," Wardle told the publication. "It is truly mind-boggling that such a trivial attack is successful."
The next version of the OS, Mojave, will block synthetic events entirely, according to the researcher. However, the security community has expressed concerns that this could hamper the functionality of legitimate apps and services.
ZDNet has reached out to Apple and will update if we hear back.
- A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
- Open, Cortana: Voice assistant used to bypass locked Windows 10 machine security (ZDNet)
- Apple macOS High Sierra: A cheat sheet (TechRepublic)
- Challenge accepted: 15-year-old plays Doom on 'unhackable' Bitfi (ZDNet)
- DeepLocker: When malware turns artificial intelligence into a weapon (ZDNet)