Wednesday, November 6, 2024
HomeComputer SecuritymacOS Zero-day Flaw Allow Hackers to Bypass Kernel Protection by Invisible Mouse...

macOS Zero-day Flaw Allow Hackers to Bypass Kernel Protection by Invisible Mouse Click Attack

Published on

Malware protection

A Presentation that was demonstrated during the Def Con 2018 regarding the Zero-day vulnerability that discovered in macOS High Sierra OS allows let an attacker access the kernel using invisible mouse clicks.

Basically, kernel level access allows gaining unparalleled access to the attackers in the compromised operating system.

Patrick Wardle, A Chief researcher in Digita Security and Ex, NSA Hacker uncovered a flaw in High Sierra OS that two consecutive synthetic mouse “down” events were incorrectly interpreted the programmatic clicks as a manual approval by High Sierra.

- Advertisement - SIEM as a Service

Patrick explained that vulnerability in High Sierra operating system by that two lines of code that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension.

This macOS flaw allows unprivileged code to interact with any UI component including the ‘protected’ security dialogues.

This attack is performed by invisible mouse clicks also called as synthetic clicks and Apple disables these kinds of mouse clicks for users to interact with UI and blocking the malware to performing programmatic clicks.

But This flaw (CVE-2017-7150) in all recent versions of macOS that incorrectly interprets the synthetic two-down sequence as a mouse “down” and “up.” as legitimate mouse clicks that interact with High Sierra’s user interface that attempts to prevent the loading of kernel extensions.

Patrick said, “Two lines of code completely break this security mechanism,” he said. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”

Patrick Found this bug by accident when copying and pasting the code. he explained that, I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”

In this case, If malware can use that trick to install a kernel extension, it can often exploit that added code to gain full control of a targeted machine.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed its game over,” Wardle said.

A piece of malware can install that extension and then exploit its flaw to take control of the kernel. Wardle points out that the Slingshot malware used this exact technique.

Of course, OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed.

Also Read

Dangerous macOS Backdoor That Steals User Login Credentials Remained Undetected for Years

Apple Released Security Updates for iOS, macOS, Safari, iTunes – iOS 11.4.1 Released

MACOS Malware Targeting Cryptocurrency Users On Slack and Discord – 100% Undetected Virustotal

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

Google Patched 40 Security Vulnerabilities Along With Two Zero-Days

Google has released a batch of security updates addressing 40 vulnerabilities, two of which...