The flaw would allow hackers to bypass security measures by invisible clicking
According to a research carried out by an expert in enterprise network security, a Mac computer with the latest version of the Apple Sierra operating system could be attacked by adjusting only two lines of code. Patrick Warder, a former National Security Agency (NSA) hacker, discovered a critic zero day vulnerability in the macOS operating system that could allow a malicious application installed on the attacked system to virtually click on the system, all without user interaction or consent required.
To figure out how dangerous this vulnerability could be, the enterprise network security specialist comments that “a single click can bypass countless security mechanisms. Run an untrusted application? Click here… allowed. Authorize access to the keychain? Click here… allowed.”
The expert has shown his research, called “The mouse is stronger than the sword”, about “synthetic interactions” carrying out an attack capable of “synthetic clicks” – programmatic and invisible clicks generated by a software program instead of a human.
The macOS code itself offers these “synthetic clicks” as an accessibility function for people with disabilities to interact with the system interface in non-traditional ways, but Apple has put some limitations to prevent malicious use.
Warder discovered, accidentally, that High Sierra misinterpreted two consecutive “down” mouse events as a legitimate click, allowing hackers to interact programmatically with security warnings, which asks the users to make a choice to allow or deny and access confidential data or features. “The user interface is the main point of the flaw”, the expert said. “If you have a way to interact virtually with these alerts, you have a very powerful way of bypassing all these security mechanisms”.
Although Warder has not yet published the technical details of the vulnerability, he says that it can be exploited to remove all passwords from the macOS keychain or to load malicious extensions of the kernel by virtually clicking the “Allow” button on the safety warning and get total control of a machine.
Unlike previous chances, Warder did not inform Apple about his research and opted to publicly disclose the details of the vulnerability in a recent cyber security conference.
According to enterprise network security experts from the International Institute of Cyber Security, Mojave, the next version of macOS, has already mitigated the threat by blocking the synthetic interaction, which reduces the scope of the functions of accessibility in applications that legitimately use this feature.