{"id":25740,"date":"2019-06-20T14:27:44","date_gmt":"2019-06-20T18:27:44","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=25740"},"modified":"2021-07-06T17:01:07","modified_gmt":"2021-07-06T21:01:07","slug":"legacy-app-whitelist-bypass","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/06\/20\/legacy-app-whitelist-bypass\/","title":{"rendered":"Legacy App Whitelist Bypass"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.co.uk\/2019\/06\/03\/macos_security_blocks_useless\/\">Shaun Nichols<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.theregister.co.uk\/2019\/06\/03\/macos_security_blocks_useless\/\">\n<p>Wardle, however, found that there is a glaring hole in the new security features: the implementation of backwards compatibility support. He told The Register how, in order to keep the operating system from breaking older applications, Apple included within Mojave a whitelist of apps that can work around the security protections. Specifically, whitelisted apps can perform synthetic events, which would allow them to, among other things, get around the approval click.<\/p>\n<p>What Wardle found was that Apple&rsquo;s whitelisting mechanism only checks the cryptographic signatures of applications&rsquo; executables, not every piece of additional code that they load and run, such as plugins and scripts. This means that an attacker could in some way modify, or rather extend, one of those whitelisted apps to fake a permission approval click and gain access to all of the protected resources in Mojave without any noticeable user notification or interaction.<\/p>\n<\/blockquote>\n\n<p>See also: the <a href=\"https:\/\/arstechnica.com\/information-technology\/2018\/08\/macos-user-warnings-are-trivial-for-malware-to-suppress-and-bypass\/\">synthetic click bug<\/a> that was <a href=\"https:\/\/twitter.com\/gruber\/status\/1029083728126074880\">fixed in Mojave<\/a>.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2017\/09\/26\/mac-keychain-vulnerability\/\">Mac Keychain Vulnerability<\/a><\/li>\n<\/ul>\n\n<p id=\"legacy-app-whitelist-bypass-update-2019-06-21\">Update (2019-06-21): <a href=\"https:\/\/twitter.com\/rosyna\/status\/1141987742961684480\">Rosyna Keller<\/a>:<\/p>\n<blockquote cite=\"https:\/\/twitter.com\/rosyna\/status\/1141987742961684480\">\n<p>The legacy app list was updated automatically (separate from an OS update) on May 29th(?). The hijacked apps no longer appear in the list.<\/p>\n<p>See <tt>\/System\/Library\/Sandbox\/TCC_Compatibility.bundle\/Contents\/Resources\/AllowApplicationsList.plist<\/tt><\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>Shaun Nichols: Wardle, however, found that there is a glaring hole in the new security features: the implementation of backwards compatibility support. He told The Register how, in order to keep the operating system from breaking older applications, Apple included within Mojave a whitelist of apps that can work around the security protections. Specifically, whitelisted [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-06-20T18:27:46Z","apple_news_api_id":"5b246cca-0c11-459a-84ce-b30225d2324b","apple_news_api_modified_at":"2021-07-06T21:01:11Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAQ==","apple_news_api_share_url":"https:\/\/apple.news\/AWyRsygwRRZqEzrMCJdIySw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[131,2095,465,30,1609,504,48],"class_list":["post-25740","post","type-post","status-publish","format-standard","hentry","category-technology","tag-bug","tag-exploit","tag-gatekeeper","tag-mac","tag-macos-10-14","tag-malware","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/25740","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=25740"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/25740\/revisions"}],"predecessor-version":[{"id":25747,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/25740\/revisions\/25747"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=25740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=25740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=25740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}