A presentation at Def Con 2018 last week revealed an unpatched vulnerability in macOS devices that can allow malware to bypass certain security checks using a technique that fakes user mouse clicks.
Patrick Wardle, founder and chief research officer at Digita Security, reportedly demonstrated a zero-day exploit for the flaw, which takes advantage of a “synthetic clicks” feature that allows certain programs to generate virtual clicks using code instead of human power.
According to various reports [1, 2, 3], the vulnerability is a variation of a similar flaw Wardle had already discovered in the macOS mouse keys function, which Apple previously patched so that synthetic clicks would be prohibited when a potentially malicious program produces a prompt asking users to allow certain permissions. But while normally a synthetic click requires both a “down” and “up” command in the code, Wardle during his research accidentally inserted two “down” commands and found that it actually resulted in a synthetic click that was not blocked.
Even more concerning: the technique was effective when used to click on an “allow” prompt for installing a kernel extension — a scenario that attackers could exploit with a malicious extension in order to hijack the kernel. However, for this exploit to work, attackers would first have to infect a targeted machine with malware capable of gaining a foothold in the device and generating the synthetic click code — preferably during times of inactivity when the user may be unaware of what’s taking place.
Wardle publicly revealed the exploit without giving Apple prior knowledge of the flaw because he felt the company should have been more diligent when it originally tried to fix the security issue, Wired reports. SC Media has reached out to Apple for comment.