It is a common saying: “With a Mac you are well protected against viruses and hackers.” That that is not entirely true, is again demonstrated by a discovery by security researcher Patrick Wardle. He describes multiple scenarios in which the most recent macOS version High Sierra can easily be copied. This involves various system notifications with which macOS protects access to contacts, calendars, location data and the start of so-called kernel extensions (kext). This even makes it possible to start malicious programs, says Wardle. This is how the attack works.
Allow or deny?
Everyone knows the reports of the system. When you open a new program, you may be notified that this program wants access to your contacts, calendars or location data. You then have two options: ‘Allow’ or ‘Reject’. Wardle succeeded with a new method to allow virtual mouse clicks on the ‘Allow’ button. For this he uses, among other things, the accessibility options of High Sierra. Important: to use this hack, a malicious person must already have access to the machine through another vulnerability. After that, however, all doors are immediately open.
Fixed in macOS Mojave
Apple already knows the vulnerability, but the bug has not yet been fixed in High Sierra. Obviously, Apple has taken measures to prevent this attack opportunity, but unfortunately this has not been entirely successful, says Wardle. In macOS Mojave where incidentally specifically these system messages were worked, the leak is already closed and the hack is no longer possible. We expect an update soon for High Sierra.
Former NSA employee
Wardle is a familiar face as far as security macros are concerned. For example, about a year ago he published an article about a major vulnerability in the keychain of macOS . Early this year he had discovered two malware – programs for macOS. In the past Wardle worked for the American secret service NSA. Here he has himself discovered ways with which he can take over Macs. At the security conference Def Con in Las Vegas he showed all the details of the attack described here.