Thursday, June 20, 2019

Legacy App Whitelist Bypass

Shaun Nichols:

Wardle, however, found that there is a glaring hole in the new security features: the implementation of backwards compatibility support. He told The Register how, in order to keep the operating system from breaking older applications, Apple included within Mojave a whitelist of apps that can work around the security protections. Specifically, whitelisted apps can perform synthetic events, which would allow them to, among other things, get around the approval click.

What Wardle found was that Apple’s whitelisting mechanism only checks the cryptographic signatures of applications’ executables, not every piece of additional code that they load and run, such as plugins and scripts. This means that an attacker could in some way modify, or rather extend, one of those whitelisted apps to fake a permission approval click and gain access to all of the protected resources in Mojave without any noticeable user notification or interaction.

See also: the synthetic click bug that was fixed in Mojave.


Update (2019-06-21): Rosyna Keller:

The legacy app list was updated automatically (separate from an OS update) on May 29th(?). The hijacked apps no longer appear in the list.

See /System/Library/Sandbox/TCC_Compatibility.bundle/Contents/Resources/AllowApplicationsList.plist

Comments RSS · Twitter

Leave a Comment