Patrick Wardle, and apple researcher, recently disclosed a zero-day flaw in MacOS that would allow for attackers to bypass security features and run trusted apps that have malware included in them. Normally, apps must go through a series of checks to prove their authenticity–one of the main things that is looked for is a signature on a digital certificate. If the check reveals errors in the app and it is flagged, MacOS will not run the app. Certain apps that are “trusted’ by the OS were only being checked for a certificate’s existence, instead of verifying its legitimacy. One of the apps specifically mentioned by the researchers was VLC which is an open-source video player which allows for plugins to be added. Researchers stated, “For VLC, I just dropped in a new plugin, VLC loads it, and because VLC loads plugins, my malicious plugin can generate a synthetic click — which is fully allowed because the system sees its VLC but doesn’t validate the bundle to make sure it hasn’t been tampered with.” Synthetic mouse clicks are used in what the researchers are calling a second-stage attack method because the malware must have access to the targeted system. Essentially, the synthetic clicks secretly approve of the victim’s microphone to be turned on or give access to GPS coordinates of the system. Since this is not a remote attack, a large number of users are yet to be at risk, but this could change. Apple has since been notified but has not commented and a patch has yet to be released.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased