phaZed
Well-Known Member
- Reaction score
- 2,964
- Location
- Richmond, VA
ANOTHER MAC BUG LETS HACKERS INVISIBLY CLICK SECURITY PROMPTS
https://www.wired.com/story/apple-macos-bug-synthetic-clicks/
Well, so much for Apple's "legendary security" and "extreme vetting" of software. For the 3rd time, according to Ex-NSA security researcher Patrick Wardle, Apple has failed to fix these issues, even as Apple gives their keynote, marketing the broken feature as a good one, when they know full well it isn't. It's literally 100% broken.
...Synthetic clicks—clicks generated by a program rather than a human finger on a mouse or trackpad—have long been a useful tool for automation as well as accessibility for disabled users. To block malicious use of synthetic clicks, MacOS requires any application that uses them to be added by the user to an approved list...
...But Apple-focused blogger Howard Oakley found in November that there are some exceptions to this rule, included by default on MacOS systems. This short, strange list of applications—including some versions of VLC, Adobe Dreamweaver, Steam, and other programs—can use synthetic clicks without requiring the user's pre-approval....
Due to an error in how Apple implemented code signing for that list—a feature that checks if the code of an application has been signed with a legitimate cryptographic key to prove its identity—Wardle found he could simply modify an approved program like VLC to include his malware. Despite the code modifications, MacOS would verify that his program was a copy of VLC and allow it to generate clicks at will....
"It's like doing an ID check, but not checking the validity of the ID, just checking the name on it," Wardle says. "Because Apple has messed up the verification, they don’t detect that I've modified and subverted VLC, so they allow my synthetic click. So I can bypass all of these new Mojave privacy measures."
The bug in Mojave that Wardle revealed yesterday marks the third time he's exposed a flaw in Apple's safeguards against synthetic clicks. In earlier research, he's shown that while MacOS tried to block synthetic clicks on security prompts, his malware could click through them by using an obscure feature called "mouse keys" that essentially allows mouse control via the keyboard. Apple patched this hack, but a few months later, Wardle found that he could circumvent the patch with an even stranger technique. A synthetic click includes two commands, a "down" click and an "up" click, just as with a physical mouse. Wardle discovered that two "down" commands was also somehow interpreted as a click, but it wasn't subject to the same safeguards. Using that allowed him to click through the security prompt blocking a kernel extension.
Wardle says he told Apple about his latest attack just a week before revealing it—hardly enough time, he admits, for the company to patch it. But after seeing so many repeated errors, he’s frustrated with Apple’s carelessness and wanted to apply more pressure by dropping the unpatched bug in public. "My approach of responsible disclosure isn't working at all," he says. "So I'm trying an alternate route to inspire Apple."
Apple's ongoing failure to fix bugs in the same security mechanism—one it even featured onstage at WWDC—points, he says, to more deep-seated problems in the company’s approach to security. "Why aren’t they auditing this code before releasing it? Especially when they’re getting up on stage and touting all these security features that are essentially worthless," Wardle says. "If you don’t do a good job with the implementation, all of it is just marketing."
So, Cryptographic code-signing is BROKEN for applications - looks like any 'ol thing will do!
The underlying OSX HID APIs are unsecure and broken.
And Apple could care less while knowingly lying to you about it in real time....
Oh well!
https://www.wired.com/story/apple-macos-bug-synthetic-clicks/
Well, so much for Apple's "legendary security" and "extreme vetting" of software. For the 3rd time, according to Ex-NSA security researcher Patrick Wardle, Apple has failed to fix these issues, even as Apple gives their keynote, marketing the broken feature as a good one, when they know full well it isn't. It's literally 100% broken.
...Synthetic clicks—clicks generated by a program rather than a human finger on a mouse or trackpad—have long been a useful tool for automation as well as accessibility for disabled users. To block malicious use of synthetic clicks, MacOS requires any application that uses them to be added by the user to an approved list...
...But Apple-focused blogger Howard Oakley found in November that there are some exceptions to this rule, included by default on MacOS systems. This short, strange list of applications—including some versions of VLC, Adobe Dreamweaver, Steam, and other programs—can use synthetic clicks without requiring the user's pre-approval....
Due to an error in how Apple implemented code signing for that list—a feature that checks if the code of an application has been signed with a legitimate cryptographic key to prove its identity—Wardle found he could simply modify an approved program like VLC to include his malware. Despite the code modifications, MacOS would verify that his program was a copy of VLC and allow it to generate clicks at will....
"It's like doing an ID check, but not checking the validity of the ID, just checking the name on it," Wardle says. "Because Apple has messed up the verification, they don’t detect that I've modified and subverted VLC, so they allow my synthetic click. So I can bypass all of these new Mojave privacy measures."
The bug in Mojave that Wardle revealed yesterday marks the third time he's exposed a flaw in Apple's safeguards against synthetic clicks. In earlier research, he's shown that while MacOS tried to block synthetic clicks on security prompts, his malware could click through them by using an obscure feature called "mouse keys" that essentially allows mouse control via the keyboard. Apple patched this hack, but a few months later, Wardle found that he could circumvent the patch with an even stranger technique. A synthetic click includes two commands, a "down" click and an "up" click, just as with a physical mouse. Wardle discovered that two "down" commands was also somehow interpreted as a click, but it wasn't subject to the same safeguards. Using that allowed him to click through the security prompt blocking a kernel extension.
Wardle says he told Apple about his latest attack just a week before revealing it—hardly enough time, he admits, for the company to patch it. But after seeing so many repeated errors, he’s frustrated with Apple’s carelessness and wanted to apply more pressure by dropping the unpatched bug in public. "My approach of responsible disclosure isn't working at all," he says. "So I'm trying an alternate route to inspire Apple."
Apple's ongoing failure to fix bugs in the same security mechanism—one it even featured onstage at WWDC—points, he says, to more deep-seated problems in the company’s approach to security. "Why aren’t they auditing this code before releasing it? Especially when they’re getting up on stage and touting all these security features that are essentially worthless," Wardle says. "If you don’t do a good job with the implementation, all of it is just marketing."
So, Cryptographic code-signing is BROKEN for applications - looks like any 'ol thing will do!
The underlying OSX HID APIs are unsecure and broken.
And Apple could care less while knowingly lying to you about it in real time....
Oh well!
Last edited:
