0-day flaw in macOS High Sierra lets hackers dump all passwords from keychain
Apple prides itself on the airtight security offered by its family of products, including the Mac operating system, macOS. But while considerably less targeted by hackers, macOS is still vulnerable to attacks â€“ especially when a bad actor comes at it with an exploit that takes advantage of a zero-day vulnerability.
Ex-NSA hacker Patrick Wardle demonstrated just that at the Def Con conference in Vegas, when he showed that macOS High Sierra (the current version of Apple”s Mac operating system) is vulnerable to attacks involving “synthetic clicks.”
macOS is rich in Accessibility features, and one of these abilities is the nifty trick of making mouse-clicks without actually touching the mouse â€“ everything happens in the software. Wardle found that an unpatched 0-day flaw can be exploited to virtually click objects and gain access to password protected areas. In fact, he found a way to dump all passwords from the keychain and bypass 3rd-party security tools.
“Via a single click, countless security mechanisms may be completely bypassed,” says Wardle. “Run untrusted app? click …allowed. Authorize keychain access? click …allowed. Load 3rd-party kernel extension? click …allowed. Authorize outgoing network connection? click …allowed. Luckily security-conscious users will (hopefully) heed such warning dialoguesâ€”stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way?”
See his presentation slides here for the full scoop. Apple has reportedly patched the bug in its upcoming macOS Mojave, which is currently in beta.
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021