14 DAY TRIAL // A new zero-day vulnerability that would allow a user to compromise the entirety of the macOS operating system has been unveiled by Patrick Wardle, a former NSA hacker.
Zero-day flaws and other security problems are present in all operating systems, and they are discovered from time to time, usually by researchers. Patches are issued, and the bugs are patched, at least until a new one is found.
The same thing happened when Patrick Wardle, Chief Research Officer of Digita Security and former NSA hacker, discovered, by mistake, a vulnerability within the Accessibility features on macOS that would allow him to fully compromise the operating system.
Bypassing the access prompt and password
The problem originated with the Accessibility features that allows users to interact with the interface via virtual clicks, generating a synthetic event, which is basically an interaction with the UI. Although in theory it’s designed to help people with disabilities, it also lets people click on security prompts and load kernel extensions.
This also allows an attacker to bypass the keychain access prompt, and consequently extract passwords. It’s an older problem and documented within the CVE-2017-7150. Needless to say, dumping all passwords from the keychain is a bad thing.
Patrick described the attack, but he didn’t reveal specifics. “Armed with the bug, it was trivial to programmatically bypass Apple's touted 'User-Approved Kext' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And as Apple's patch was incomplete (surprise surprise) we'll drop an 0day that (still) allows unprivileged code to post synthetic events and bypass various security mechanisms on a fully patched macOS box!”
It’s important to mention that this attack was carried out on a fully patches macOS, which is even weirder. Technically, developers are well away of synthetic clicks and they know it’s a security risk that needs to be dealt with.
Finally, there is good news and bad news. Apple patched the problem in the latest macOS Mojave, which is still in the Beta stages. The bad news is that they used the “hammer” approach, and Apple removed block synthetic events entirely. It’s possible that some legitimate functions and features will be impeded or disabled.