A new vulnerability in macOS High Sierra allows an attacker to bypass security warnings and compromise the system through false mouse clicks.
Nearly a year after a patch was issued by Apple, malicious hackers can still seize control of Macs by using the Mouse Keys option built right into macOS, a security researcher said at the DEF CON 26 security conference Sunday (via Wired).
The malware lets allows one to mimic mouse movements and clicks using the number pad or the left-hand letter keys on a keyboard. Malware or an attacker can program digital representations of the feature to authorize installation of new software or to steal information from the Keychain, said Patrick Wardle, chief research officer at Digita Security.
Controlling mouse clicks is essential to Mac security because so many of the system’s defenses rely upon user alerts and authorizations. MacOS alerts you to all sorts of system changes, from the installation of new software to letting applications have Keychain access. The malware can bypass layers of security to perform its tasks, like finding your location, stealing contacts, and even taking over the kernel to fully control the Mac.
“The user interface is that single point of failure,” says Wardle. “If you have a way to synthetically interact with these alerts, you have a very powerful and generic way to bypass all these security mechanisms.”
“Wardle’s attacks, to be clear, don’t offer a hacker an initial foothold on a computer; they only help a hacker’s malware penetrate layers of security on an already infected machine,” reads the report. “But Wardle argues they could nonetheless serve as powerful tools for sophisticated attackers trying to silently steal more data from, or gain deeper control of, a machine they’ve already penetrated with a malicious attachment in a phishing email or some other common technique.”
The flaw only affects High Sierra and not earlier versions, but it is likely to be shortlived. Wardle explained that macOS 10.14 Mojave will block all synthetic events completely, which will prevent such attacks from occurring completely.
Read Wired‘s complete coverage of the vulnerability here.