An injection flaw connected to how macOS handles software updates on the system could allow attackers to access all files on Mac devices.
The news comes from Mac security specialist Patrick Wardle who, in a Sector7 blog post (and at the Black Hat conference in Las Vegas), demonstrated how threat actors could abuse the flaw to take over the device.
After deploying the initial attack, Alkemade was then able to escape the macOS sandbox (a feature designed to limit successful hacks to one app), and then bypass the System Integrity Protection (SIP), which effectively enabled the deployment of non-authorized code.
The cybersecurity researcher said he first found the vulnerability in December 2020 and subsequently reported the issue to Apple through the company’s bug bounty scheme.
Wardle also explained that while the vulnerability leveraged multiple flaws after he discovered it to Apple, the company addressed most of them in April 2021, and one was patched in October 2021.
Both updates do not delve into the technical details of the vulnerabilities, simply saying the flaw could allow malicious apps to leak sensitive user information and escalate privileges for an attacker.
“In the current security architecture of macOS, process injection is a powerful technique,” Wardle wrote in his blog post.
“A generic process injection vulnerability can be used to escape the sandbox, elevate privileges to root and to bypass SIP’s filesystem restrictions. We have demonstrated how we used the use of insecure deserialization in the loading of an application’s saved state to inject into any Cocoa process,” the advisory concluded.
“This was addressed by Apple in the macOS Monterey update.”
The disclosure of the vulnerability and its patches comes weeks after security researchers at ESET found a macOS backdoor they dubbed “CloudMensis” that was being used in targeted attacks to steal sensitive information from victims.