Patrick Wardle, an ex-NSA hacker and now Chief Research Officer of Digita Security, uncovered a critical zero-day vulnerability in the macOS Sierra operating system that could allow a malicious application installed in the targeted system to virtually “click” objects without any user interaction or consent. Wardle explains: “Via a single click, countless security mechanisms can be completely bypassed. Run untrusted app? Click…allowed. Authorize keychain access? Click…allowed. Load 3rd-party kernel extension? Click…allowed. Authorize outgoing network connection? click …allowed.
Wardle described his research into “synthetic” interactions with a user interface (UI) as “The Mouse is Mightier than the Sword,” showcasing an attack that’s capable of ‘synthetic clicks’—programmatic and invisible mouse clicks that are generated by a software program rather than a human.
macOS code itself offers synthetic clicks as an accessibility feature for disabled people to interact with the system interface in non-traditional ways, but Apple has put some limitations to block malware from abusing these programmed clicks.
Wardle accidentally discovered that High Sierra incorrectly interprets two consecutive synthetic mouse “down” event as a legitimate click, allowing attackers to programmatically interact with security warnings as well that asks users to choose between “allow” or “deny” and access sensitive data or features.
“The user interface is that single point of failure,” says Wardle. “If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.”
Although Wardle has not yet published technical details of the flaw, he says the vulnerability can potentially be exploited to dump all passwords from the keychain or load malicious kernel extensions by virtually clicking “allow” on the security prompt and gain full control of a target machine.