MacOS security expert Patrick Wardle talked about unpatched vulnerabilities in this operating system.[dropcap]T[/dropcap]he security issue is found in application verification process; it can lead to the loading and execution of untested code. According to the expert, this bug is quite easy to use.
Among other things, it allows generation of “synthetic clicks” that an attacker can use to confirm malicious actions. Wardle describes following scheme: an attacker can modify an application so the system trusts by default by including a “synthetic click” that can be performed by a malicious user on a computer without the user’s knowledge.
What are the “synthetic clicks”?
Essentially, these are automatic mouse actions that developers can incorporate into their applications. This is usually done to make life easier for the user and save him from a large number of requests for confirmation of actions.Patrick Wardle, a former NSA hacker and now chief analyst at Digita Security already said that “synthetic clicks” can be used to circumvent protective measures of the operating system, while the expert spoke about macOS Sierra. After that, Apple took action by prohibiting the use of such a technique to access the microphone, geolocation, camera, core, messages, terminal and scripts.
Now, however, the researcher claims that these protective measures are can be easily bypassed in case of necessity. To do so, will be enough to simply modify the application that is allowed to perform “synthetically clicks”.
We are talking about applications that are listed in the AllowApplications.plist. For example, this list contains the following software: Steam, VLC, Diablo 3, Starcraft, Starcraft 2, World of Warcraft and other specific software.
According to Wardle, Apple’s verification system for these applications does not function properly. For example, the resources from which the application loads and executes the code are not checked, such is the popular VLC video player.
“For VLC, I just dropped in a new plugin, my malicious plugin can generate a synthetic click — which is fully allowed because the system sees its VLC but doesn’t validate that the bundle to make sure it hasn’t been tampered with, and so my synthetic events is able to click and access the users location, webcam, microphone”, – told Patrick Wardle.