Legacy app whitelist can be abused to bypass latest macOS security defenses, expert warns
Three words to ruin an Apple engineer's day: 'Patrick Wardle disclosure'
Malware can bypass protections in macOS Mojave, and potentially access user data as well as the webcam and mic – by exploiting a hole in Apple's legacy app support.
Digita Security chief research officer Patrick Wardle explained during a presentation at the Objective By the Sea conference in Monte Carlo this week how malicious software could manipulate an older installed application to bypass safeguards Apple has put on user data and sensitive components such as the camera and microphone.
Introduced by Apple last year at its World Wide Developer Conference, Mojave's security defenses require the user to expressly give permission, by clicking on a dialogue-box button, whenever an application requests access to the camera or mic, or wants to look at personal information such as photos, mail archives, browser history, or system backup information.
As an additional layer of protection, Apple disabled "synthetic events" such as automated mouse clicks on user-interface buttons. This prevents a malicious application from faking the user's authorization on the dialog box.
Wardle, however, found that there is a glaring hole in the new security features: the implementation of backwards compatibility support. He told The Register how, in order to keep the operating system from breaking older applications, Apple included within Mojave a whitelist of apps that can work around the security protections. Specifically, whitelisted apps can perform synthetic events, which would allow them to, among other things, get around the approval click.
What Wardle found was that Apple's whitelisting mechanism only checks the cryptographic signatures of applications' executables, not every piece of additional code that they load and run, such as plugins and scripts. This means that an attacker could in some way modify, or rather extend, one of those whitelisted apps to fake a permission approval click and gain access to all of the protected resources in Mojave without any noticeable user notification or interaction.
In his proof-of-concept, Wardle used a malicious plugin for the VLC media player to carry out the procedure and access what should be off-limits resources. In practice, the extension could be installed via social engineering or by exploiting a vulnerability in Safari. All that would be required to carry out the attack would be to have code running locally.
Why didn't Apple spot this? Good question…
Wardle said the bug is far from a sophisticated vulnerability, and should not have been particularly hard for Cupertino's engineers to spot, had they known what to look for.
"If any security researcher or someone at Apple with a security mindset had audited this code, they would have noticed it. Once you see this bug, it is trivial, " Wardle told El Reg.
"They are not auditing the code, they are implementing these new security features, but the reality is they are often implemented incorrectly."
Even more frustrating, said Wardle, is that these are the sort of mistakes Apple has made repeatedly in recent years, even as its execs have talked up their efforts to make macOS and iOS devices more secure and private.
He explained how, time and again, he and other researchers have reported security vulnerabilities in Apple's platforms, only to see the Cupertino giant deliver patches that only address a small portion of the vulnerability, or leave the root cause of a flaw exposed.
Huge news from Apple: No, not mags, games or TV – more than 50 security bugs to patchREAD MORE
"The majority of the bugs and CVEs I receive are often secondary or tertiary flaws for the same bug that Apple did not patch completely," Wardle explained. "When you report a flaw to them, they do not comprehensively patch it."
This not only frustrates researchers, but also increases the risk of future attacks because malware writers get to see where the operating system is vulnerable to attacks and how they can exploit the holes that are left exposed.
No patch exists yet for this security weakness. The disclosure this week should serve as a wake-up call for both executives and engineers at Apple ahead of this week's WWDC conference.
Apple typically uses its developer get-together to highlight the upcoming features it will be including in the new versions of iOS and macOS, both of which typically arrive in the late summer. Between now and then, Cupertino will have plenty of work to do on securing both platforms. ®