Collective Intelligence Podcast, Patrick Wardle on Synthetic Click Vulnerabilities in macOS
By Mike Mimoso
Hackers and defenders aren’t the only players in the security cat-and-mouse game. Vendors and researchers are also playing too.
Apple, for example, has spent the last year touting new security and privacy enhancements in the latest version of macOS, Mojave. Among the fixes were updates that ban synthetic clicks, a feature where mouse clicks are programmatically generated within the OS. While there are legitimate uses for synthetic clicks—remote administration or certain accessibility features—attackers may also leverage this feature to spy on users by turning on location services, spy on them via the internal webcam or microphone, or allow the installation of additional malicious code.
Longtime macOS bug-hunter Patrick Wardle has privately disclosed numerous bugs in the past to Apple, including a few related to synthetic clicks. Earlier this month, Wardle privately disclosed to Apple—and later publicly at the Objective By The Sea conference—new vulnerabilities around its protections that would allow an attacker to bypass them entirely using synthetic clicks.
In this episode of the Collective Intelligence Podcast, Wardle, the chief research officer at Digita Security, provides some details on the vulnerability and some of the subtler risks involved beyond surveillance and privacy violations such as using a synthetic click to allow for the installation of a signed, and malicious, kernel extension. Such an action would give an attacker access to the macOS kernel and full control over the victim’s machine.
Wardle explains that these types of attacks involving synthetic clicks are second-stage actions, and that an attacker would first have to gain access to the machine before abusing synthetic clicks to access features or load further code.
The vulnerability, meanwhile, lies in an undisclosed whitelist of approved applications that could still use synthetic clicks. An attacker could abuse one of those trusted applications because the operating system fails to validate whether the app has been tampered with; it checks instead only whether the app has been digitally signed and whether it was signed by a trusted developer.
Apple has yet to patch this vulnerability but has introduced some mitigations since it was disclosed in order to dampen its effects.
“This fix is actually relatively trivial,” Wardle said. “They passed an incorrect flag value to a code-signing API; the code-signing API is a function that will validate the application. You can pass it various flags to tell it what type of validation to perform. One of those flags validates everything, and if they would have passed that flag, the entire application bundle would have been invalidated, and malicious code modifications and code injections would have been detected. In other words, if they had passed the right flag, we wouldn’t be having this conversation.”
The Collective Intelligence Podcast, presented by Flashpoint and hosted by Editorial Director Mike Mimoso, features regular interviews with a diverse set of industry experts and Flashpoint analysts on the latest information security news and industry trends.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.