Threat Watch

New MacOS Zero-Day Uses Synthetic Clicks to Bypass Security Features

Patrick Wardle, and apple researcher, recently disclosed a zero-day flaw in MacOS that would allow for attackers to bypass security features and run trusted apps that have malware included in them. Normally, apps must go through a series of checks to prove their authenticity–one of the main things that is looked for is a signature on a digital certificate. If the check reveals errors in the app and it is flagged, MacOS will not run the app. Certain apps that are “trusted’ by the OS were only being checked for a certificate’s existence, instead of verifying its legitimacy. One of the apps specifically mentioned by the researchers was VLC which is an open-source video player which allows for plugins to be added. Researchers stated, “For VLC, I just dropped in a new plugin, VLC loads it, and because VLC loads plugins, my malicious plugin can generate a synthetic click — which is fully allowed because the system sees its VLC but doesn’t validate the bundle to make sure it hasn’t been tampered with.” Synthetic mouse clicks are used in what the researchers are calling a second-stage attack method because the malware must have access to the targeted system. Essentially, the synthetic clicks secretly approve of the victim’s microphone to be turned on or give access to GPS coordinates of the system. Since this is not a remote attack, a large number of users are yet to be at risk, but this could change. Apple has since been notified but has not commented and a patch has yet to be released.

ANALYST NOTES

Users are suggested to keep on the lookout for a patch from Apple which should come sometime in the near future. Until then, users should make sure they have all the security parameters turned on and they are continuously downloading the most up-to-date version of the OS.