MacOS Mojave zero-day privacy vulnerability uncovered

News by Mark Mayne

Security researchers have revealed a privacy bypass vulnerability just hours after the launch of Apple's latest Mac OS.

Security researchers have revealed a privacy bypass vulnerability just hours after the launch of Apple’s latest Mac OS.

Business and end users rushing to download the latest Apple MacOS update Mojave might want to hold fire for a while, after reports of a privacy bypassing vulnerability in the new OS.

Researcher Patrick Wardle posted a tweet and short video praising the new ‘dark mode’ setting, but also highlighting an exploit that allows attackers to bypass the privacy safeguards in Mojave and access the contacts on the device.

— patrick wardle (@patrickwardle) 24 September 2018

Wardle said he had contacted Apple about the issue, but was not aware of a dedicated macOS bug bounty program.

Joseph Carson, Chief Security Scientist at Thycotic told SC Media UK that: "Apple consider privacy of their products and customers to be of the utmost importance and Apple do take any security or privacy bugs very seriously. However this does confirm that Apple’s development life cycle is getting complacent by such serious privacy flaws getting into final releases.

"Apple’s stance on privacy is serious, which was proved with them going head to head with the FBI about creating back doors into their products which was a very public debate. Such bugs would allow governments, cyber-criminals and nation states, who abuse human rights, to exploit such flaws and abuse them."

However, Ed Williams, Director EMEA, SpiderLabs at Trustwave told SC Media UK that he was unimpressed, especially regarding the lack of visible MacOS bug bounty programme.

"I believe in 2018 we should expect tighter security from technology leaders. The ability to bypass privacy controls is serious and could potentially undermine the security of the device, which is bad news for us all. Given the huge resources available to most large companies, you would expect that incidents like this would be a thing of the past.  

"It will be interesting to see how this is dealt with, I would expect a patch to be issued soon. As for the long term, companies need to consider greater visibility and focus on a bug bounty; this could minimize any future incidents as issues of this nature can be handled in a controlled manner."

A detailed explanation of the security flaw is scheduled for November at the security researcher's Objective by the Sea conference. The reveal marks the second MacOS bug that Wardle has found in as many months, having uncovered CVE-2017-7150 back in August. The latter issue affects versions of Apple macOS software before version 10.13, and relates to the ability of a malicious actor to use synthetic events to bypass user protections and fully compromise the OS.

Apple’s Mojave update addresses a series of security issues, incorporating fixes for eight CVE-listed vulnerabilities, including remote code execution flaws in the kernel (CVE-2018-4336, CVE-2018-4344) and weak RC4 encryption (CVE-2016-1777).

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews