Saturday, December 7, 2024
HomeCyber Security NewsmacOS WorkflowKit Race Vulnerability Allows Malicious Apps to Intercept Shortcuts

macOS WorkflowKit Race Vulnerability Allows Malicious Apps to Intercept Shortcuts

Published on

SIEM as a Service

A race condition vulnerability in Apple’s WorkflowKit has been identified, allowing malicious applications to intercept and manipulate shortcuts on macOS systems.

This vulnerability, cataloged as CVE-2024-27821, affects the shortcut extraction and generation processes within the WorkflowKit framework, which is integral to the Shortcuts app on macOS Sonoma.

macOS WorkflowKit Race Vulnerability

The vulnerability arises from a race condition in the method responsible for extracting signed shortcut files. The method -[WFShortcutPackageFile preformShortcutDataExtractionWithCompletion:] contains a flaw that can be exploited by malicious apps.

- Advertisement - SIEM as a Service

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

These apps can intercept shortcut files during the import process, bypassing the need for a valid signature check. The exploitation involves modifying the extracted files before they are finalized, allowing an attacker to inject malicious code into shortcuts without user consent.

Moreover, another race condition was discovered in the method generateSignedShortcutFileRepresentationWithPrivateKey:signingContext:error.

This flaw allows for similar interception and modification during the generation of signed shortcuts. By manipulating directory paths and using symbolic links, attackers can replace legitimate shortcuts with altered versions during the signing process.

The implications of this vulnerability are significant. Malicious apps could potentially run silently in the background, intercepting shortcuts shared or imported by users.

This could lead to unauthorized access to sensitive user data or execution of unintended actions within shortcuts. The vulnerability underscores the importance of robust path handling and validation mechanisms in software development.

Apple has addressed this vulnerability in macOS Sonoma 14.5 by implementing additional sandbox restrictions and improving path validation processes.

This patch prevents unauthorized access to temporary directories used during shortcut extraction and generation, effectively mitigating the risk of exploitation.

The discovery and reporting of this vulnerability were credited to security researchers Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit) of Kandji. Their efforts highlight the ongoing need for vigilance in identifying and addressing security flaws in widely used software frameworks.

While Apple has promptly addressed this issue with a patch, users are advised to update their systems to macOS Sonoma 14.5 or later to ensure protection against potential exploits.

For developers and security professionals, this case emphasizes the importance of understanding race conditions and implementing comprehensive security measures to prevent similar vulnerabilities in future software releases.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...