Improper App Check Revives the Synthetic Clicks Issue in macOS Mojave (Jun 3, 2019)
macOS researcher, Patrick Wardle, has identified an unpatched flaw in the app verification process on macOS Mojave. The vulnerability allows for legacy apps to load and execute unverified code. A trusted application can be changed by executing code on the machine without the users knowledge, allowing for a malicious event. Automatic clicks allows for prompts to be included to reduce user interaction. This is the second reported zero-day issue in two weeks that affects macOS Mojave, with a flaw that allows bypassing Gatekeeper with unsigned code on a network share was discovered by Filippo Cavallarin.
Recommendation: At the time of this writing, there is no patch yet available for this flaw. However, this story can be used as a reminder of how unpredictable vulnerabilities are discussed in open sources which causes the likelihood that threat actors will attempt to exploit it to increase. When a security update is released, it should be applied as soon as possible due to the potential for malicious events associated with this vulnerability. Policies should be in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.