Security researcher Patrick Wardle has spotted a number of noteworthy flaws in the hack protection systems used by macOS and — with Apple’s WWDC only hours away — has identified (via TechCrunch) a significant new flaw: an attacker can use a malicious plugin for a trusted app to seize control of a user’s microphone, camera, and location data, thanks to a variation on an exploit that’s been known for four years.
The exploit relies on several tricks. One is macOS’ susceptibility to “synthetic clicks,” an attack that lets an app automatically click on dialog boxes like a human would, agreeing to installation of software; granting permissions; or opening additional apps, such as Terminal. Another is an “undocumented whitelisting feature” of macOS that quietly creates a list of apps that are allowed to use synthetic clicks.
According to Wardle, all a whitelisted app needs is a signed digital certificate, which ideally would enable macOS to quickly stop a maliciously modified app from running. Instead of checking whitelisted apps for modifications, however, macOS allowed these apps to run, such that a maliciously modified app could begin using synthetic clicks to take control of a machine. Since Apple’s whitelist includes apps such as the media player VLC, which uses plugins, Wardle says that macOS will run VLC without verifying modifications made to the code by a malicious plugin.
Although white hat security researchers tend to give companies a month or more to fix vulnerabilities before publicly disclosing them, Wardle only reported his bug to Apple last week. He noted that he has flagged synthetic click bugs multiple times in the past, and though they’ve been addressed in prior macOS security updates, he said it’s “clear” that Apple doesn’t take them seriously. That has created an easy way for attackers to bypass all of macOS’ latest privacy and security systems.
Thankfully, Wardle doesn’t believe the currently unpatched flaw places “a large number of Mac users immediately at risk,” as the bug requires that the malware or attacker already has access to the computer. Resolving the problem will likely involve doing deeper checks against the current app’s digital certificate, if not fully disabling synthetic clicking and/or the undocumented whitelist of apps allowed to use it.