Apple macOS vulnerability paves the way for system compromise with a single click

Tampering with two lines of code unveiled a serious bug which could lead to full system compromise.

A security researcher uncovered a zero-day in Apple software by tweaking a few lines of code. Speaking at Defcon in Las Vegas last week, Patrick Wardle, Chief Research Officer of Digita Security, described his research into "synthetic" interactions with a user interface (UI) that can lead to severe macOS system security issues.

Synthetic events are when attackers can virtually "click" objects in order to load code without user consent. If a threat actor is able to "click" a security prompt and load a kernel extension, this could lead to the full compromise of an operating system.

"Via a single click, countless security mechanisms may be completely bypassed," the researcher says. "Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed."

While some users may stop these kinds of attacks when warning dialogue appears, Wardle says that it is possible to synthetically generate clicks silently and in an invisible way -- a concept which the researcher says results in "everything pretty much go[ing] to hell."

The vulnerability at the heart of the issue is CVE-2017-7150, a bug impacting modern versions of Apple macOS software before version 10.13.

The macOS security flaw allowed unprivileged code to interact with any UI component including 'protected' security dialogues, leading to the bypass of the keychain access prompt and password exfiltration.

However, a new zero-day security flaw was stumbled upon after tampering with two lines of code in Apple's macOS UI despite the iPad and iPhone maker's attempts to mitigate the bug, according to ThreatPost.

Apple is aware of synthetic events as an attack vector and issued an update called "User Assisted Kernel Extension Loading (Kext)" in an attempt to mitigate the design problem and subsequent avenues for attack.

This feature requires users to manually click a "allow" button for the loading of kernel extensions.

Also: Half of IT pros say it would be easy to turn to cybercrime without getting caught TechRepublic

However, Wardle says that this redesign of the UI ultimately failed and the new zero-day is based on the macOS High Sierra's incorrect interpretation of software events based on an incomplete patch.

The researcher says that bypassing Kext protections was "trivial," and the zero-day bug permits unprivileged code usage in order to "post synthetic events and bypass various security mechanisms on a fully patched macOS box."

The problem lies in the approval, or rejection, of synthetic events in the latest version of macOS. When two synthetic "down" events run, High Sierra interprets the attack as a manual approval via one "down" and one "up" click, which gives attackers a path straight to system compromise.

Also: Hackers can steal data from the enterprise using only a fax number

Wardle told attendees that the bug was found by accident as he copied and pasted code, setting the script to click a synthetic mouse "down" twice without meaning to.

"Two lines of code completely break this security mechanism," Wardle told the publication. "It is truly mind-boggling that such a trivial attack is successful."

The next version of the OS, Mojave, will block synthetic events entirely, according to the researcher. However, the security community has expressed concerns that this could hamper the functionality of legitimate apps and services.

ZDNet has reached out to Apple and will update if we hear back.

Previous and related coverage