A single flaw broke every layer of security in macOS

Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Tucked under the prompt is another option that most of us probably overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature – and it can be used to break key layers of Apple’s security protections.

The vulnerability, which is likely to be attacked by process injection to break macOS security, could allow an attacker to read all files on a Mac or take control of the webcam, says security researcher Thijs Alkemade to the Dutch cybersecurity company Computest who found the flaw. “It’s basically a vulnerability that could be applied in three different places,” he says.

After deploying the initial attack against the saved state feature, Alkemade was able to move into other parts of the Apple ecosystem: first escaping the macOS sandboxwhich is designed to limit successful hacks to a single application and then bypass System Integrity Protection (SIP), a key defense designed to prevent authorized code from accessing sensitive files on a Mac.

Alkemade, which presents the work at the Black Hat Conference in Las Vegas this week – first discovered the vulnerability in December 2020 and reported the issue to Apple through its bug bounty program. He received a “pretty nice” research award, he says, though he declines to detail how much. Since then, Apple has released two updates to fix the flaw, first in April 2021 and again in October 2021.

Asked about the flaw, Apple said it had not commented before Alkemade’s presentation. The company’s two public updates on the vulnerability aren’t detailed, but they say the issues could allow malicious apps to leak sensitive user information and escalate privileges that allow an attacker to move around a system. .

Apple’s changes can also be seen in Xcode, the company’s development workspace for app makers, a blog post describing the attack on Alkemade said. The researcher claims that although Apple fixed the issue for Macs running the Monterey operating system, which was released in October 2021, previous versions of macOS are still vulnerable to the attack.

There are several steps to successfully launch the attack, but basically they go back to the initial injection process vulnerability. Process injection attacks allow hackers to inject code into a device and execute code in a different way than was originally intended.

Attacks are not uncommon. “It is quite often possible to find the process injection vulnerability in a specific application,” says Alkemade. “But to have one that is so universally applicable is a very rare find,” he says.

The vulnerability found by Alkemade is in a “serialized” object in the saved state system, which saves the applications and windows you have open when you shut down a Mac. This saved state system can also run when a Mac is in use, in a process called Application nap.

Previous Electronic data space software | Finance 101
Next DC suburban apps trying to cut emissions and increase equity get federal funding