A vulnerability has been found in the injection process in macOS. This allowed all macOS AppKit-based apps to be exploited to access other apps and the system itself. Apple has since fixed the vulnerability with an update in macOS Monterey. The vulnerability was discovered by Thijs Alkemade, an ethical hacker at Computest Security, and was presented this week at the international hacker conferences Black Hat and DEF CON.
By exploiting the injection process vulnerability in macOS, attackers can access and exploit the rights of other applications through a single application. With this, for example, the camera or microphone can be turned on unnoticed or even the entire system can be accessed. This would allow attackers, for example, to install malware fairly easily. What makes the vulnerability particularly interesting is that it is universally applicable to all AppKit-based applications.
Weakness in an unexpected place
Alkemade further notes that it relates to the vulnerability in an unexpected location. It was in a function that was already developed ten years ago: the “saved state” function. With this, when you shutdown your computer, the system offers to re-open the windows you had open when the system restarts. There was no vulnerability during the development of Saved State, because at that time there were not such a large number of applications with all the different rights. This difference in permissions also means that the vulnerability can have a significant impact.
“It is understood that features developed long ago were not always designed for today’s technology. In fact, you should also check the system as a whole regularly. However, this does not usually happen, because the focus is on developing new functionality. But when the system becomes larger And the more comprehensive, the more vulnerable it often becomes. It is important that organizations recognize this and take appropriate security measures.”
Alkemade reported the vulnerability to Apple and also provided information on how to exploit the vulnerability. For this he received the so-called bug bounty. Apple has since been able to resolve the vulnerability by releasing an update to macOS Monterey. Additionally, changes have been made to the Appkit documentation to allow developers to create new apps and features without the aforementioned vulnerability.
It’s not the first leak that KDE has discovered. Together with his colleague Dan Cooper, he focuses entirely on research in his own lab at Computest Security. With this said, they have already managed to put several award-winning hackers to their name. For example, Alkemade and Keuper have already twice won the international hacking competition Pwn2Own by hacking Zoom and showing vulnerabilities in industrial systems. They also revealed vulnerabilities in various Volkswagen Group cars.
“Lifelong entrepreneur. Total writer. Internet ninja. Analyst. Friendly music enthusiast.”