Apple zero-day vulnerability exposes High Sierra to synthetic mouse-click attacks

• The flaw involved tweaking a few lines of code in Apple’s software
• Apple has addressed the flaw by implementing a new security feature dubbed “User Assisted Kernel Extension Loading”

A new zero-day has been identified in Apple’s High Sierra OS that could allow local attackers to carry out synthetic mouse-click attacks. The flaw came to light after leading Apple security researcher Patrick Wardle, who currently serves as the CRO of Digita Security, detailed his findings at the 2018 Defcon hacker conference.

Wardle said that tweaking a few lines of code in Apple’s software could allow attackers the ability to virtually “click” on a security prompt, which in turn, loads a kernel extension. Once the attacker is able to obtain kernel access on a Mac, it could allow him/her the ability to compromise the entire OS.

"Via a single click, countless security mechanisms may be completely bypassed. Run an untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed. Authorize outgoing network connection? click ...allowed,” researchers said.

The vulnerability in question has been tracked as CVE-2017-7150 and impacts Apple’s Mac OS 10.13 and earlier versions. This security flaw allows unauthorized code to interact with any UI components, including “protected” security dialogues. If exploited, attackers could bypass security mechanisms and exfiltrate passwords.

“Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed it’s game over,” Wardle explained, Threatpost reported.

Wardle further noted that the due to some unknown reasons the two synthetic mouse down events were incorrectly interpreted by High Sierra and this “fully breaks a foundational security mechanism of High Sierra.”

Apple has addressed the flaw by implementing a new security feature dubbed “User Assisted Kernel Extension Loading”. The feature requires users to manually click an “allow” button to approve the loading of any kernel extension. In addition, a filtering mechanism has been introduced in the latest macOS versions, including High Sierra to block such synthetic events.