Synthetic clicks and the macOS flaw Apple can’t seem to fix

What’s more embarrassing than a researcher revealing a security oversight in a company’s software?

In the case of Apple, it would be when that software, macOS 10.15 ‘Catalina’, hasn’t even shipped to users yet.

The bearer of bad news was noted researcher Patrick Wardle of Digita Security, who used last weekend’s Objective by the Sea conference in advance of macOS 10.15’s launch this week to reveal a weakness through which malicious apps could exploit ‘synthetic clicks’ – automated clicks or keystrokes made by an app in the interests of accessibility.

Hijacking this, malware could automatically generate synthetic clicks to bypass prompts that ask the user to authorise actions such as installing software, hijacking webcams and microphones, or accessing Apple’s Keychain password manager, none of which would be a good thing.

Because macOS security depends on the response to such alerts, malware that can simulate these clicks on behalf of the user would have a dangerous amount of power.

In 2017 it was realised that FruitFly malware had adopted the technique as far back as 2008, as did DevilRobber in 2011 and Genieo in 2014, so the threat is more than theoretical.

The flaw

To counter this, Apple introduced a whitelist that limited access to synthetic clicks to applications approved by the user.

However, for reasons of backwards compatibility it was discovered that Apple had built in some exceptions to this rule through the Transparency Consent and Control system (TCC), including for the open source VLC media layer, Adobe Dreamweaver, and the Steam games platform.

According to Wardle, the problem of the whitelist is that while it checks that an app is allowed access, it doesn’t check what that app is doing. If an attacker appended code to a legitimate app, the control would fail. Wardle said to ZDNet:

The issue is that the verification is incomplete, so they only end up checking that the app is signed by who they think it should be (i.e. VLC, signed by VLC developer), but not the executable code or application resources.

Running sore

Apple’s embarrassment over the latest discovery will be compounded by the fact that Wardle has been scratching away at the same weakness for years.

In 2017, Wardle revealed how macOS High Sierra’s mouse keys feature (a way of controlling the mouse pointer from the keyboard) could be abused to sneakily bypass the OS’s protection against synthetic click exploits.

Apple patched the issue but in 2018 he was back with another proof-of-concept that made possible a partial bypass of protections in macOS Mojave.

Every time Wardle discovers a weakness in macOS security Apple patches it after which he returns with another gotcha timed for maximum effect to coincide with the release of a new version of the OS.

It’s uncomfortably reminiscent of another researcher, José Rodríguez, who has developed a habit of finding flaws Apple thought it had fixed in the iOS lock screen.

As with previous weaknesses in this layer, a patch will be released at some point. But it’s hard to escape the impression that, in these two areas at least, Apple’s security approach is to fix holes one at a time rather than analysing their underlying causes.