macOS Zero-day Flaw Allow Hackers to Bypass Kernel Protection by Invisible Mouse Click Attack

A Presentation that was demonstrated during the Def Con 2018 regarding the Zero-day vulnerability that discovered in macOS High Sierra OS allows let an attacker access the kernel using invisible mouse clicks.

Basically, kernel level access allows gaining unparalleled access to the attackers in the compromised operating system.

Patrick Wardle, A Chief researcher in Digita Security and Ex, NSA Hacker uncovered a flaw in High Sierra OS that two consecutive synthetic mouse “down” events were incorrectly interpreted the programmatic clicks as a manual approval by High Sierra.

Patrick explained that vulnerability in High Sierra operating system by that two lines of code that could allow a local attacker to virtually “click” a security prompt and thus load a kernel extension.

This macOS flaw allows unprivileged code to interact with any UI component including the ‘protected’ security dialogues.

This attack is performed by invisible mouse clicks also called as synthetic clicks and Apple disables these kinds of mouse clicks for users to interact with UI and blocking the malware to performing programmatic clicks.

But This flaw (CVE-2017-7150) in all recent versions of macOS that incorrectly interprets the synthetic two-down sequence as a mouse “down” and “up.” as legitimate mouse clicks that interact with High Sierra’s user interface that attempts to prevent the loading of kernel extensions.

Patrick said, “Two lines of code completely break this security mechanism,” he said. “It is truly mind-boggling that such a trivial attack is successful. I’m almost embarrassed to talk about the bug as it’s so simple — though I’m actually more embarrassed for Apple.”

Patrick Found this bug by accident when copying and pasting the code. he explained that, I copied and pasted the code for a synthetic mouse down twice accidentally – forgetting to change a value of a flag that would indicate a mouse “up” event. Without realizing my ‘mistake,’ I compiled and ran the code, and honestly was rather surprised when it generated an allowed synthetic click!”

In this case, If malware can use that trick to install a kernel extension, it can often exploit that added code to gain full control of a targeted machine.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed its game over,” Wardle said.

A piece of malware can install that extension and then exploit its flaw to take control of the kernel. Wardle points out that the Slingshot malware used this exact technique.

Of course, OS vendors such as Apple are keenly aware of this ‘attack’ vector, and thus strive to design their UI in a manner that is resistant against synthetic events. Unfortunately, they failed.

Also Read

Dangerous macOS Backdoor That Steals User Login Credentials Remained Undetected for Years

Apple Released Security Updates for iOS, macOS, Safari, iTunes – iOS 11.4.1 Released

MACOS Malware Targeting Cryptocurrency Users On Slack and Discord – 100% Undetected Virustotal

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago