Apple Still Has Problems With Stopping Synthetic Clicks (zdnet.com) 22
Synthetic events remain a big security hole for macOS in spite of Apple's recent efforts to prevent malicious applications from abusing this feature. From a report: Speaking at the second edition of the Objective by the Sea security conference that was held in Monaco over the weekend, Patrick Wardle, a well-known Apple security expert, has revealed a zero-day impacting Apple's macOS operating system, including the new version launched today. The zero-day is a bypass of the security protections that Apple has put in place to prevent unauthorized access to synthetic events. Synthetic events are a macOS mechanism that allows applications to automate mouse clicks and keyboard input. It was created for the sake of automation and can be used via either the Core Graphics framework or the AppleScript scripting language. [...]
For almost two years now, Wardle has been looking at Apple's countermeasures aimed to prevent the abuse of synthetic events. He previously showed two methods[1, 2] of bypassing Apple's synthetic events protections, so much so that Apple decided last year to block access to synthetic events by default. But over the weekend, Wardle disclosed a new way of bypassing these latest protections, once again. "It's the gift that keeps giving," Wardle told ZDNet via email. "And actually gets more and more valuable as Apple adds more protections (privacy and security mechanisms) that can be 'allowed' by a single synthetic click." The new technique is possible because of the Transparency Consent and Control (TCC) system. Wardle says the TCC contains a compatibility database in the form of a file named AllowApplications.plist. This file lists apps and app versions that are allowed to access various privacy and security features, including synthetic events.
For almost two years now, Wardle has been looking at Apple's countermeasures aimed to prevent the abuse of synthetic events. He previously showed two methods[1, 2] of bypassing Apple's synthetic events protections, so much so that Apple decided last year to block access to synthetic events by default. But over the weekend, Wardle disclosed a new way of bypassing these latest protections, once again. "It's the gift that keeps giving," Wardle told ZDNet via email. "And actually gets more and more valuable as Apple adds more protections (privacy and security mechanisms) that can be 'allowed' by a single synthetic click." The new technique is possible because of the Transparency Consent and Control (TCC) system. Wardle says the TCC contains a compatibility database in the form of a file named AllowApplications.plist. This file lists apps and app versions that are allowed to access various privacy and security features, including synthetic events.
Re: (Score:2, Insightful)
Re: (Score:3, Funny)
Which OS do you recommend? OpenBSD?
From his post, it appears that he recommends a VT100 terminal.
Bravo to Apple! (Score:3)
Seems like there's a simple solution (Score:2)
Synthetic events are a macOS mechanism that allows applications to automate mouse clicks and keyboard input. It was created for the sake of automation and can be used via either the Core Graphics framework or the AppleScript scripting language.
Just get rid of the subsystem that allows this. What user needs that kind of automation? Developers are already supposed to get a devkit virtualization of things, so if this is there for them, why not keep it sandboxed away in that?
Re:Seems like there's a simple solution (Score:5, Informative)
What user needs that kind of automation?
UI automation is for users of assistive technology for people with disabilities [wikipedia.org] and for users who want to script proprietary GUI applications whose developers can't be anused to provide a scripting interface.
Re: (Score:2)
Okay. That hadn't occurred to me. Thank you.
This really makes it difficult for Apple then on how to engineer that without bad actors getting involved.
Re: (Score:3)
Not to mention that the Software Development Industry sucks in making API's to their products. And to have a common API, that doesn't require fooling the inputs is nearly impossible to get everyone to implement.
In the Unix world of command line interfacing, Pipes were handy and relatively fast, until we started to get graphic applications and crazy forms of inputs. After that we need API's to do the work, but because most software seems to place most of its security on the UI level. Just as long as the pe
Re: (Score:2)
Basically MacOS, since before it was OS X has what the Windows users get by installing AutoHotKey and a lot more.
Example: easy to make scripts doing:
- check network share if any new image file appears inside
- load image into industry-standard un-scriptable image editing software and automatically perform image editing operations
- save results in other directories
- open industry-standard un-scriptable DTP software, place said images in specific positions
- load text files from another directories and insert t
No Worries. Apple will soon invent (Score:1)
User Interface Privilege Isolation and Mandatory Integrity Control. Welcome to 2002, Apple.
Well, with automation and everything (Score:2)
Re: (Score:2)
Having to use screen scraper programs, to automate workflow. Ill let you know, these programs didn't replace anyone's jobs. The data just wouldn't have been entered in the system, and people would had suffered by not getting it when they needed it.
Re: (Score:2)
retire the feature (Score:2)
time to rip this feature out of MacOS, if you can get rid of iTunes, you can make do with getting rid of this one too.