Mac OS X computers have been found vulnerable due to a report indicating that warning prompts can be easily bypassed. A demonstration has shown how this can be used by hackers in virus infections. The vulnerability is classified as a shortcoming of the operating system’s design and tracked in the CVE-2017-7150 advisory.
CVE-2017-7150: Mac OS X Warning Prompts Bypassed With a Simple Hack
The Def Con conference is regarded as one of the most important conventions in the security community as it is often the place where exciting vulnerabilities are announced. One of the last presentations showcased a technique demonstrated by an expert that can bypass Mac OS X warning prompts. This is done by abusing the user interface using a novel method that generates “synthetic clicks” emulating user behaviour. This allows hackers to create virus threats that can automatically bypass notification and warning prompts by fooling the system.
Instead of emulating mouse movement itself (which has already been used in previous malware) this technique relies on a feature called mouse keys, it converts keyboard interaction into mouse actions. This is done by pressing certain keys on the keyboard which in turn are interpreted by the operating system as mouse presses. They appear to be accepted as regular user signals and pass through security alerts. A proof-of-concept attack demonstrated how this technique can be leveraged to dump unencrypted user passwords and private keys.
Following its disclosure the vulnerability was tracked in the CVE-2017-7150 advisory which reads the following:
An issue was discovered in certain Apple products. macOS before 10.13 Supplemental Update is affected. The issue involves the “Security” component. It allows attackers to bypass the keychain access prompt, and consequently extract passwords, via a synthetic click.
Apple released a patch that addresses the issue however that did not mitigate the technique altogether. While performing tests on the machines using an older code the security expert that reported the issue incorrectly applied some of the code snippets which resulted in another intrusion. This shows that with some code modifications malicious users could still hack into patched systems. Upon further investigation of the reasons behind this it appears that the newer code sent out two “down”events instead of one. The system interpreted as a mistake and corrected it to an “up” movement which resulted in another security bypass.
The developer has reached out to Apple with details of the issue and we are waiting for another hotfix to be issued by them. As soon as it is available all Mac OS X users should apply the update as soon as possible to prevent their systems from being abused.