'Synthetic Click' attack re-emerges in macOS High Sierra at Defcon

Posted:
in macOS
A vulnerability has been discovered in macOS that could allow an attacker to impersonate a mouse click, enabling for it to bypass security prompts and completely compromise a Mac, a flaw that was found by accident.




Revealed at the Defcon computer security conference, Digita Security's Chief Research Officer Patrick Wardle advised that "synthetic" events, namely software-based clicking of interface objects, are still a problem for macOS. While Apple has attempted to fix the flaw, the new discovery means synthetic clicks are still capable of working in certain circumstances, reports Threat Post.

A synthetic click in malware could be used to bypass security prompts that users must agree to, before allowing specific activities to take place. This can be anything from simply enabling access for sensitive elements, like the Keychain, to riskier activities like loading a kernel extension.

Previously, synthetic clicks were an issue that was solved in a new security feature called "User Assisted Kernel Extension Loading," which forced users to manually approve the loading of a kernel extension via an "allow" button in the security system interface. In macOS High Sierra, the operating system has been filtering out synthetic clicks that could affect security alerts, making the technique unusable by attackers.

At the presentation, Wardle admitted he discovered a flaw by accident while working in High Sierra, but noted that his code's actions worked around the restrictions.

A mouse click is interpreted as two actions in macOS, namely the "down" and "up" elements to click and to release. Wardle's discovery was that two consecutive synthetic "down" events were misinterpreted by High Sierra as a manual legitimate click, with the errant "up" event seemingly coming from macOS itself and bypassing the filtering system.

Wardle discovered it by making a mistake while copying and pasting code for synthetic mouse clicks, forgetting to change a flag value for an "up" event. After compiling the code, he discovered it allowed the synthetic click to function.

"Two lines of code completely break this security mechanism," said Wardle. "It is truly mind-boggling that such a trivial attack is successful. I'm almost embarrassed to talk about the bug as it's so simple - though I'm actually more embarrassed for Apple."

The flaw only affects High Sierra and not earlier versions, but it is likely to be shortlived. Wardle advised macOS 10.14 Mojave will block all synthetic events completely, which will prevent such attacks from occurring completely, though it could also affect legitimate apps that take advantage of synthetic clicks for various functions.

Comments

  • Reply 1 of 6
    welshdogwelshdog Posts: 1,638member
    "I'm actually more embarrassed for Apple."  Why? Becuase they didn't think of something you accidentally discovered? Becuase they somehow magically can't think of every single thing criminal hackers try to break in the OS? Kind of an assy thing for you to say pal.
    mike1chialkruppwatto_cobrajony0
  • Reply 2 of 6
    "The flaw only affects High Sierra and not earlier versions, but it is likely to be shortlived. Wardle advised macOS 10.14 Mojave will block all synthetic events completely...."

    Problem is, a LOT of Macs are not going to be upgradeable to Mojave and are presently on High Sierra. Apple had damned well better deal with that issue or there will be hell to pay....
    dysamoria
  • Reply 3 of 6
    lkrupplkrupp Posts: 6,530member
    sacto joe said:
    "The flaw only affects High Sierra and not earlier versions, but it is likely to be shortlived. Wardle advised macOS 10.14 Mojave will block all synthetic events completely...."

    Problem is, a LOT of Macs are not going to be upgradeable to Mojave and are presently on High Sierra. Apple had damned well better deal with that issue or there will be hell to pay....
    Get a grip on yourself. It’ll make you feel good.
    watto_cobra
  • Reply 4 of 6
    metrixmetrix Posts: 233member
    sacto joe said:
    "The flaw only affects High Sierra and not earlier versions, but it is likely to be shortlived. Wardle advised macOS 10.14 Mojave will block all synthetic events completely...."

    Problem is, a LOT of Macs are not going to be upgradeable to Mojave and are presently on High Sierra. Apple had damned well better deal with that issue or there will be hell to pay....
    It doesn't sound like you are too familiar with how exploits are fixed in supported versions of the OS. For example Windows XP is no longer supported by Windows you are on your own. Not that it should be XP is very old and should not be supported.
    edited August 2018 watto_cobra
  • Reply 5 of 6
    mystigomystigo Posts: 105member
    Don't various accessibility apps need to be able to synthesize mouse clicks? Outlawing them could make those programs less useful.
    watto_cobra
  • Reply 6 of 6
    dysamoriadysamoria Posts: 1,884member
    metrix said:
    sacto joe said:
    "The flaw only affects High Sierra and not earlier versions, but it is likely to be shortlived. Wardle advised macOS 10.14 Mojave will block all synthetic events completely...."

    Problem is, a LOT of Macs are not going to be upgradeable to Mojave and are presently on High Sierra. Apple had damned well better deal with that issue or there will be hell to pay....
    It doesn't sound like you are too familiar with how exploits are fixed in supported versions of the OS. For example Windows XP is no longer supported by Windows you are on your own. Not that it should be XP is very old and should not be supported.
    High Sierra isn't remotely as old as Windows XP. 
Sign In or Register to comment.