Headline
A Single Flaw Broke Every Layer of Security in MacOS
An injection flaw allowed a researcher to access all files on a Mac. Apple issued a fix, but some machines may still be vulnerable.
Every time you shut down your Mac, a pop-up appears: “Are you sure you want to shut down your computer now?” Nestled under the prompt is another option most of us likely overlook: the choice to reopen the apps and windows you have open now when your machine is turned back on. Researchers have now found a way to exploit a vulnerability in this “saved state” feature—and it can be used to break the key layers of Apple’s security protections.
The vulnerability, which is susceptible to a process injection attack to break macOS security, could allow an attacker to read every file on a Mac or take control of the webcam, says Thijs Alkemade, a security researcher at Netherlands-based cybersecurity firm Computest who found the flaw. “It’s basically one vulnerability that could be applied to three different locations,” he says.
After deploying the initial attack against the saved state feature, Alkemade was able to move through other parts of the Apple ecosystem: first escaping the macOS sandbox, which is designed to limit successful hacks to one app, and then bypassing the System Integrity Protection (SIP), a key defense designed to stop authorized code from accessing sensitive files on a Mac.
Alkemade—who is presenting the work at the Black Hat conference in Las Vegas this week—first found the vulnerability in December 2020 and reported the issue to Apple through its bug bounty scheme. He was paid a “pretty nice” reward for the research, he says, although he refuses to detail how much. Since then Apple has issued two updates to fix the flaw, first in April 2021 and again in October 2021.
When asked about the flaw, Apple said it did not have any comment prior to Alkemade’s presentation. The company’s two public updates about the vulnerability are light on detail, but they say the issues could allow malicious apps to leak sensitive user information and escalate privileges for an attacker to move through a system.
Apple’s changes can also be seen in Xcode, the company’s development workspace for app creators, a blog post describing the attack from Alkemade says. The researcher says that while Apple fixed the issue for Macs running the Monterey operating system, which was released in October 2021, the previous versions of macOS are still vulnerable to the attack.
There are multiple steps to successfully launching the attack, but fundamentally they come back to the initial process injection vulnerability. Process injection attacks allow hackers to inject code into a device and run code in a way that’s different to what was originally intended.
The attacks are not uncommon. “It’s quite often possible to find the process injection vulnerability in a specific application,” Alkemade says. “But to have one that’s so universally applicable is a very rare find,” he says.
The vulnerability Alkemade found is in a “serialized” object in the saved state system, which saves the apps and windows you have open when you shut down a Mac. This saved state system can also run while a Mac is in use, in a process called App Nap.
When an application is launched, Alkemade says, it reads some files and tries to load them using an insecure version of the “serialized” object. “In all of Apple’s operating systems, these serialized objects are used all over the place, often for inter-process exchange of data,” the researcher writes in the blog post describing the attack. “The way the attack works is that you can create those files at the place another application will load them from,” Alkemade says. Essentially, a malicious “serialized object” is created and can make the system behave in ways it is not supposed to.
From here, Alkemade was able to escape the Mac app sandbox using the vulnerability—this was the first flaw that Apple fixed. By injecting the code into another application, it was possible to extend what the attack could do. Finally, Alkemade was able to bypass the System Integrity Protection that’s supposed to stop unauthorized code from reading or changing sensitive files. “I could basically read all of the files on the disk and also modify certain system files,” he says.
There is no evidence to date that the vulnerability has been exploited in the real world. However, the flaw shows how, in some instances, it may be possible for attackers to move through an entire operating system, increasingly being able to access more data. In the description for his talk, Alkemade says that as local security on macOS moves more toward an iOS model, this highlights that multiple parts of the system need to be reexamined.