Defcon was held in Las Vegas last week. At the event, a speaker, Patrick Wardle, Chief Research Officer of Digita Security, spoke specifically and in depth about a vulnerability that he stumbled across in the MacOS which could allow for system compromise. He said that just by playing around with a few lines of code, he learned that synthetic interactions with the UI of the system can pave way for massive security issues and exploitation.
The synthetic interactions referred to by Wardle are the kind that allow remote attackers to cause users to click on things appearing on their screen without intending to. These clicks could grant undue permissions and if a kernel extension is loaded through such exploitation, the entire operating system could be compromised with the highest permissions.
These single clicks hold the power to bypass authorization checkpoints to allow for the execution of applications, authorization of keychain, loading of third party kernel extensions, and authorization of outgoing network connections. That all happens to be just enough an attacker needs to gain access to the system, run codes of interest, and swipe away information and documents of interest as well.
Most of the time, when you’re prompted to grant permission to any process asking for it to do just about anything on your computer, you think twice about trusting the processes that are asking. The single click manipulation tactic could cause you to grant permission to services without knowing whether they’re reliable or secure at all.
The vulnerability that causes this, CVE-2017-7150, is a flaw in versions of the MacOS prior to its version 10.13. This vulnerability allows underprivileged attack codes to interact with UI components including the same secure dialogues that pop up to ask you for permission to carry forward. The ability to generate such synthetic clicks against the UI allow attackers to get all the permissions they want from the unknowing user and carry out whatever they please on the system.
An update has been released by Apple to mitigate this zero-day exploit. The update is called “User Assisted Kernel Extension Loading” (Kext), and the update ensures that single click synthetic generation cannot occur as users are required to perform their clicks manually themselves.