Security flaw in macOS Mojave embarrasses Apple ahead of WWDC 2019

Image credit: TechRadar

There’s a vulnerability in macOS Mojave that could allow an attacker to sidestep part of the operating system’s built-in security countermeasures which are designed to defend against unauthorized access to user data, or indeed the webcam and microphone.

This is rather embarrassing for Apple given that the firm’s big WWDC 2019 event is about to kick-off with the keynote very shortly, and at last year’s conference, Craig Federighi declared that these sort of security features are one of the reasons folks purchase Apple machines.

As TechCrunch reports, the latest flaw is actually something that can be exploited in the defenses Apple introduced to stop potentially malicious apps from gaining access to user data unless the user themselves clicks OK to give the application permission for access.

There was a problem in Apple’s initial implementation of this system, though, which meant that attackers could potentially use an ‘artificial’ click – manufactured by themselves – to OK and dismiss the permission pop-up, and subsequently leverage their malicious app.

So, the fresh countermeasures introduced in macOS Mojave were designed to prevent any such synthetic clicks from subverting the system. In other words, the user must see the box, and manually click it.

The new exploit, however, has found a way around this protection thanks to an oversight in a whitelist of macOS apps, which are older (legacy) programs that get an exception because otherwise the system would break the application and it wouldn’t run under macOS.

As highlighted by Patrick Wardle, security expert and co-founder of Digita Security, the core problem is that when it comes to validating whether one of these whitelisted apps is actually the genuine application, macOS isn’t fully authenticating the software.

Wardle noted: “The only thing Apple is doing is validating that the application is signed by who they think it is.”

The operating system fails to check whether the application has been modified in any form, and this is a big issue. It means that apps like the VLC Media Player, which allows plugins, can be modified with a malicious plugin which can fire off a synthetic click to automatically dismiss any consent prompt.

Once the attacker has this foothold in the target system, Wardle reminds us that they can access details such as the user’s location, webcam, mic and so forth.

Not a remote attack

The saving grace preventing this from being a much more serious issue is that the attacker must already have access to the target PC, before the exploit can be leveraged. Wardle observed: “This isn’t a remote attack so I don’t think this puts a large number of Mac users immediately at risk.”

Of course, it’s hardly out of the realms of possibility that an attacker could gain access to your machine, perhaps via social engineering, for instance, before leveraging this bug as the second stage of an incursion.

In other words, it’s still something Apple should very much be fixing, although it’s not clear if that’s the case at the moment, seeing as the firm hasn’t commented on the flaw.

Wardle reported the problem to Apple last week, but it remains unpatched as of the time of writing. The security researcher further lamented Apple’s typical response to these sort of ‘artificial click’ bugs, which he has reported several times in the past, and asserted his belief that the company doesn’t take them seriously enough.

No sooner had macOS Mojave launched last year than Wardle found a zero-day bug which allowed for bypassing the operating system’s privacy defenses, so let’s hope this isn’t the case with the release of macOS 10.15, which will (almost certainly) be unveiled imminently.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).