acm-header
Sign In

Communications of the ACM

Home/News/Apple macOS Security Protections Easily Bypassed With.../Full Text
ACM TechNews

Apple macOS Security Protections Easily Bypassed With 'Synthetic' Clicks, Researcher Finds

By TechCrunch
June 6, 2019
Comments
View as: Print Mobile App Share:
Keyboard of a Macbook Pro.

A researcher has found a zero-day vulnerability in a central Apple macOS safeguard that permits apps or malware to circumvent permissions and access a user's private data, webcam, or microphone.

Credit: ZDnet

Researcher Patrick Wardle at Digita Security found a zero-day vulnerability in a central Apple macOS safeguard allowing apps or malware to circumvent permissions, and access a user's private data, webcam, or microphone.

The flaw derives from an undocumented whitelist of cleared macOS apps that are permitted to generate "synthetic" clicks to prevent breakage.

Apps are usually signed with a digital certificate to prove their authenticity and freedom from tampering, so if the app has been changed to include malware, the certificate signals an error.

However, the bug Wardle identified implied that macOS was only checking if a certificate exists, without properly confirming the whitelisted app's legitimacy; this means a manipulated variant of a whitelisted app could be leveraged to activate a synthetic click.

Wardle said he alerted Apple of the flaw, but the company has not yet issued a patch.

From TechCrunch
View Full Article

 

Abstracts Copyright © 2019 SmithBucklin, Washington, DC, USA

 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account