Home > News content

macOS High Sierra "synthetic click" attack reappears on Defcon

via:cnBeta.COM     time:2018/8/14 13:31:25     readed:403


According to Threat Post, although Apple tried to fix this vulnerability,But the new finding is that "synthetic clicks" can still work in certain situations.

You can use 'synthetic clicks' in malware to bypass security tips that must be approved by the user before allowing specific activities to occur.

This can easily enable access to sensitive elements (such as Keychain) and load risky activities such as kernel extensions.

Previously, the "synthetic click" question wasSolved in a new security feature called "user-assisted kernel extension loading".

This feature forces the user to manually approve the loading of kernel extensions via the 'Allow' button in the security system interface.

In macOS High Sierra, the operating system has filtered out 'synthetic clicks' that could affect security alerts, making it impossible for attackers to use the technology.

Wardle admitted in his speech,He accidentally discovered a High Sierra flaw while at work, but admitted that there were certain restrictions on bypassing the code.

Mouse clicks are interpreted as two actions in macOS, the ‘down’ and ‘up’ elements that are clicked and released.

However, two consecutive 'synthesis down' events were mistaken by High Sierra for manual legal clicks.

As for the wrong 'up' event, it seems to come from macOS itself and bypass the filtering system.

When copying and pasting "synthetic mouse click code"Wardle made a mistake -- forgot to change the flag value of the "up" event.

As a result, after compiling the code, it was found that it allowed the 'composite click' function - two lines of code to completely break the security mechanism.

Incredibly, this trivial attack has succeeded. I am embarrassed to talk about this mistake, but by contrast, Apple is obviously more embarrassing.

It should be pointed out thatThis vulnerability only affects High Sierra, not the earlier version of macOS.So it may be introduced temporarily.

To be more versatile, Ward suggests that macOS 10.14 Mojave should completely block all ‘synthesis events' – but it may also affect legitimate applications.

[Compiled from:Apple Insider]


Apple Online Store (China)

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments

Related news