Researcher Patrick Wardle at Digita Security found a zero-day vulnerability in a central Apple macOS safeguard allowing apps or malware to circumvent permissions, and access a user's private data, webcam, or microphone.
The flaw derives from an undocumented whitelist of cleared macOS apps that are permitted to generate "synthetic" clicks to prevent breakage.
Apps are usually signed with a digital certificate to prove their authenticity and freedom from tampering, so if the app has been changed to include malware, the certificate signals an error.
However, the bug Wardle identified implied that macOS was only checking if a certificate exists, without properly confirming the whitelisted app's legitimacy; this means a manipulated variant of a whitelisted app could be leveraged to activate a synthetic click.
Wardle said he alerted Apple of the flaw, but the company has not yet issued a patch.
View Full Article
Abstracts Copyright © 2019 SmithBucklin, Washington, DC, USA
No entries found