Threat Watch

Zero-Day Surfaces for Apple Software

Researchers have discovered a zero-day in Apple’s software by adjusting a few lines of code. It was described as “synthetic interactions” with a UI (user interface) which could lead to serious macOS system vulnerabilities. According to researchers, “a new zero-day security flaw was stumbled upon after tampering with two lines of code in Apple’s macOS UI despite the iPad and iPhone maker’s attempts to mitigate the bug.” Synthetic interactions allow attackers to click objects in order to load code without the user’s consent. By just a single click, security mechanisms could be completely bypassed. This could allow attackers to run untrusted apps, load third-party kernel extensions, authorize outgoing network connect, authorize keychain access, and more. Some users might be able to prevent these attacks due to warning dialogues, however it’s possible to synthetically generate clicks silently in an invisible way. The vulnerability (CVE-2017-7150) affects modern versions of Apple’s macOS software before version 10.13. Apple has been informed about the vulnerability and has released an update as an attempt to mitigate the design flaw and subsequent avenues for attack. This requires the user to manually click an “allow” button to load kernel extensions. Researchers have noticed that the redesign of the UI has failed, and the zero day is based on High Sierra’s incorrect interpretation of software events due to an incomplete patch. The problem resides in the approval or rejection synthetic events of macOS. The next software update will block synthetic events completely.