An Apple security expert last year documented an attack technique that uses synthetic clicks to bypass security features in macOS High Sierra. What are synthetic clicks and how does this attack work?
Once malware is put on an endpoint, multiple vulnerabilities can be used for local privilege escalation. The malware could contain traditional executables, such as scripts executing on an endpoint. Even a system with a secure configuration might still be vulnerable to privilege escalation vulnerabilities, which can cause damage to the user, as well as to the data on the system and even the rest of the network.
A new approach to privilege escalation attacks is bypassing prompts that ask users if they want to perform an action that might be detrimental to their system’s security. Even though the user has the ability to make changes and install software, macOS and Windows include an extra step to securely verify the user’s intentions.
One way to bypass these prompts is to use malware that is already on the system and find a way to click the button that enables the desired action — all without any action on the part of the user. On Windows systems, AutoIt — a legitimate system administration tool — has been exploited to enable attackers to click buttons, and Android Accessibility Services has been exploited on Android devices in the same way.
Patrick Wardle, chief research officer at Digita Security, a macOS security company, showed how attackers can use synthetic clicks — a feature of macOS that allows a program to select a button in an open window — to bypass security protections, even though the feature was designed to not work on some sensitive allow or deny buttons.
Wardle explained the actions a malicious actor could take on an unpatched system to abuse this functionality. Even after applying an Apple update, the specific attack allowed attackers to access contacts, calendars, locations and network connections. Apple’s latest update to macOS Mojave, version 10.14, removes support for all synthetic events, including synthetic clicks; while doing so eliminates the possibility that an attacker can exploit synthetic clicks, it will also break any software that uses the synthetic events legitimately.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)