0-day flaw in macOS High Sierra lets hackers dump all passwords from keychain
Apple prides itself on the airtight security offered by its family of products, including the Mac operating system, macOS. But while considerably less targeted by hackers, macOS is still vulnerable to attacks â€“ especially when a bad actor comes at it with an exploit that takes advantage of a zero-day vulnerability.
Ex-NSA hacker Patrick Wardle demonstrated just that at the Def Con conference in Vegas, when he showed that macOS High Sierra (the current version of Apple”s Mac operating system) is vulnerable to attacks involving “synthetic clicks.”
macOS is rich in Accessibility features, and one of these abilities is the nifty trick of making mouse-clicks without actually touching the mouse â€“ everything happens in the software. Wardle found that an unpatched 0-day flaw can be exploited to virtually click objects and gain access to password protected areas. In fact, he found a way to dump all passwords from the keychain and bypass 3rd-party security tools.
“Via a single click, countless security mechanisms may be completely bypassed,” says Wardle. “Run untrusted app? click …allowed. Authorize keychain access? click …allowed. Load 3rd-party kernel extension? click …allowed. Authorize outgoing network connection? click …allowed. Luckily security-conscious users will (hopefully) heed such warning dialoguesâ€”stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way?”
See his presentation slides here for the full scoop. Apple has reportedly patched the bug in its upcoming macOS Mojave, which is currently in beta.
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns
January 19, 2023
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps
November 29, 2022
How to monitor your online privacy during your Thanksgiving trip
November 22, 2022
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info
November 16, 2022
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be
November 14, 2022