Vulnerability

macOS WorkflowKit Race Vulnerability Allows Malicious Apps to Intercept Shortcuts

A race condition vulnerability in Apple’s WorkflowKit has been identified, allowing malicious applications to intercept and manipulate shortcuts on macOS systems.

This vulnerability, cataloged as CVE-2024-27821, affects the shortcut extraction and generation processes within the WorkflowKit framework, which is integral to the Shortcuts app on macOS Sonoma.

macOS WorkflowKit Race Vulnerability

The vulnerability arises from a race condition in the method responsible for extracting signed shortcut files. The method -[WFShortcutPackageFile preformShortcutDataExtractionWithCompletion:] contains a flaw that can be exploited by malicious apps.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

These apps can intercept shortcut files during the import process, bypassing the need for a valid signature check. The exploitation involves modifying the extracted files before they are finalized, allowing an attacker to inject malicious code into shortcuts without user consent.

Moreover, another race condition was discovered in the method generateSignedShortcutFileRepresentationWithPrivateKey:signingContext:error.

This flaw allows for similar interception and modification during the generation of signed shortcuts. By manipulating directory paths and using symbolic links, attackers can replace legitimate shortcuts with altered versions during the signing process.

The implications of this vulnerability are significant. Malicious apps could potentially run silently in the background, intercepting shortcuts shared or imported by users.

This could lead to unauthorized access to sensitive user data or execution of unintended actions within shortcuts. The vulnerability underscores the importance of robust path handling and validation mechanisms in software development.

Apple has addressed this vulnerability in macOS Sonoma 14.5 by implementing additional sandbox restrictions and improving path validation processes.

This patch prevents unauthorized access to temporary directories used during shortcut extraction and generation, effectively mitigating the risk of exploitation.

The discovery and reporting of this vulnerability were credited to security researchers Kirin (@Pwnrin), zbleet, and Csaba Fitzl (@theevilbit) of Kandji. Their efforts highlight the ongoing need for vigilance in identifying and addressing security flaws in widely used software frameworks.

While Apple has promptly addressed this issue with a patch, users are advised to update their systems to macOS Sonoma 14.5 or later to ensure protection against potential exploits.

For developers and security professionals, this case emphasizes the importance of understanding race conditions and implementing comprehensive security measures to prevent similar vulnerabilities in future software releases.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate search…

1 day ago

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as the…

1 day ago

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains, posing…

1 day ago

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty ransomware,…

1 day ago

RansomHub Ransomware Group Hits 84 Organizations as New Threat Actors Emerge

The RansomHub ransomware group has emerged as a significant danger, targeting a wide array of…

1 day ago

Threat Actors Leverage Email Bombing to Evade Security Tools and Conceal Malicious Activity

Threat actors are increasingly using email bombing to bypass security protocols and facilitate further malicious…

2 days ago