Hackers show to bypass macOS security alerts via “synthetic” clicks at DEFCON 2018

Hackers show to bypass macOS security alerts via “synthetic” clicks at DEFCON 2018

At the DefCon hacker conference held in Las Vegas on Sunday, the former National Security Agency employee, well-known Mac computer hacker Patrick Wardle, through so-called “synthetic clicks”, allows malware to easily pass system security alerts.

Wardle believes that this method of bypassing the macOS operating system security mechanism may be able to steal contacts existing on the user’s computer, and even enter the operating system kernel, completely control the computer.

It is reported that operating systems often create a checkpoint to block malware while allowing normal applications to pass by allowing users to select “allow” or “deny” programs to access sensitive data or functionality. But Wardle approach can help malware penetrate into the security layer of the computer.

As a security researcher at Digita Security, Wardle said, “Before an attacker can load a (signed) kernel extension, the user has to click an ‘allow’ button. This recent security mechanism is designed to prevent rogue attacks from loading code into the kernel. If this mechanism is bypassed it’s game over.

However, Ward’s synthetic click method bypasses the pop-up prompts that are still visible to the user, and the Apple macOS operating system will still prompt the user to have malware on the computer. But Ward said that malware can wait for the user to leave the machine to trigger and bypass the pop-up prompt.

For some unknown reason the two synthetic mouse ‘down’ events confuse the system and the OS sees it as a legitimate click. This fully breaks a foundational security mechanism of High Sierra.

Wardle admits that his “synthetic click” attack does not directly invade the Mac operating system or control the computer. But in the hands of some hackers, they can be a dangerous tool for sophisticated attackers to steal more data or gain deeper control from their computers

Via: threatpost