Zero-Day Vulnerability in MacOS Mojave bypasses system-level confidentiality permissions



[ad_1]


By Mikey Campbell
Monday, September 24, 2018 at 16:41 Pacific Time (7:41 pm ET)

According to a security researcher, macOS Mojave from Apple, which was distributed to users around the world on Monday, includes a flawed implementation of security protections that could expose personal data.

MacOS Mojave Permissions

Highlighted by Patrick Wardle of Digita Security, the apparent flaw allows an unprivileged application to bypass system-level permissions and remove user information from certain applications. Wardle has discovered a number of security issues related to Apple, the most recent being the exfiltration of sensitive data by the Adware Doctor application.

During the Worldwide Developers Conference last June, Apple introduced an extensive set of macOS security features that require users' express permission to use certain applications and hardware. Specifically, users must allow access to Mac's camera, microphone, mail history, backups, locations, routines, and system cookies when performing macOS Mojave.

In a short video uploaded to TwitterWardle demonstrates a circumvention to at least one of these protections.

The brief demo shows a first unsuccessful attempt to access and copy contacts via Terminal, an expected result as part of Apple's security measures. Wardle then runs an unprivileged application, aptly called "breakMojave", to locate and access the Mac address book.

With secure access, Wardle can execute a list command to display all files in the private folder, including metadata and images.

Talk to TechCrunchWardle said that the exploit is "not a universal workaround" of the extended permissions feature, but noted that the procedure can be exploited to access protected data when a user is logged in to macOS. As such, it is unlikely that the flaw will pose a major problem to most users, but could be embarrassing in some situations.

The security researcher keeps the bug details confidential to protect the general public, but said he had circulated the bypass to draw attention to the lack of Apple 's. a bug bonus for Mac. Indeed, a cheeky line in Wardle's script reads: "Submission of a report to [email protected] .ERROR: macOS bug bonus program not found: /"

Apple is currently running an iOS bug program, launched in 2016, that yields up to $ 200,000 for bugs related to boot-safe firmware components, even if the company does not have the bug. not yet launched similar incentive initiative for Mac.

The bug is now visible, Apple will undoubtedly learn about its details and publish a patch in an upcoming update.

[ad_2]
Source link