A single flaw broke all layers of security in MacOS

Every time you shut down your Mac, a pop-up window appears: “Are you sure you want to turn off your computer now?” Beneath the message is another option that most of us probably overlook: the option to reopen the apps and windows you have open now when your machine turns back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature, and it can be used to break through key layers of Apple’s security protections.

The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read all files on a Mac or take control of the webcam, says security researcher Thijs Alkemade from the Dutch cybersecurity firm Computest that found the flaw. “It’s basically a vulnerability that could be applied to three different locations,” he says.

After deploying the initial attack against the saved state feature, Alkemade was able to move through other parts of the Apple ecosystem: first escaping the macOS sandbox, which is designed to limit successful hackers to a application, and then bypassing System Integrity Protection (SIP). ), a key defense designed to prevent authorized code from accessing sensitive files on a Mac.

Alkemade, which is presenting the work at the Black Hat conference in Las Vegas this week, first found the vulnerability in December 2020 and reported the problem to Apple through its bug bounty scheme. He was paid a “very nice” reward for the research, he says, though he declines to detail how much. Apple has since released two updates to address the flaw, first in April 2021 and again in October 2021.

When asked about the flaw, Apple said it had no comment before Alkemade’s presentation. The company’s two public updates on the vulnerability are light on detail, but say the problems could allow malicious apps to leak sensitive user information and elevate privileges for an attacker to move through a system.

Apple’s changes can also be seen in Xcode, the company’s development workspace for app creators, says a blog post describing the Alkemade attack. The researcher says that while Apple fixed the problem for Macs with the Monterey operating system, which was released in October 2021, older versions of macOS are still vulnerable to the attack.

There are several steps to successfully launching the attack, but they fundamentally come back to the initial process injection vulnerability. Process injection attacks allow hackers to inject code into a device and execute code in a different way than originally intended.

Attacks are not uncommon. “It is often possible to find the process injection vulnerability in a specific application,” says Alkemade. “But to have one that is so universally applicable is a very rare find,” he says.

The vulnerability Alkemade found is in a “serialized” system save state object, which saves the applications and windows you have open when you shut down a Mac. This system save state can also run while using a Mac, in a process called App Nap.

Leave a Comment

Your email address will not be published. Required fields are marked *