kentoh - Fotolia

Q
Manage Learn to apply best practices and optimize your operations.

How can synthetic clicks aid a privilege escalation attack?

An Apple security expert introduced the concept of synthetic clicks, which can bypass privilege escalation defenses. Find out how this new attack technique works with Nick Lewis.

An Apple security expert last year documented an attack technique that uses synthetic clicks to bypass security features in macOS High Sierra. What are synthetic clicks and how does this attack work?

Once malware is put on an endpoint, multiple vulnerabilities can be used for local privilege escalation. The malware could contain traditional executables, such as scripts executing on an endpoint. Even a system with a secure configuration might still be vulnerable to privilege escalation vulnerabilities, which can cause damage to the user, as well as to the data on the system and even the rest of the network.

A new approach to privilege escalation attacks is bypassing prompts that ask users if they want to perform an action that might be detrimental to their system's security. Even though the user has the ability to make changes and install software, macOS and Windows include an extra step to securely verify the user's intentions.

One way to bypass these prompts is to use malware that is already on the system and find a way to click the button that enables the desired action -- all without any action on the part of the user. On Windows systems, AutoIt -- a legitimate system administration tool -- has been exploited to enable attackers to click buttons, and Android Accessibility Services has been exploited on Android devices in the same way.

Patrick Wardle, chief research officer at Digita Security, a macOS security company, showed how attackers can use synthetic clicks -- a feature of macOS that allows a program to select a button in an open window -- to bypass security protections, even though the feature was designed to not work on some sensitive allow or deny buttons.

Wardle explained the actions a malicious actor could take on an unpatched system to abuse this functionality. Even after applying an Apple update, the specific attack allowed attackers to access contacts, calendars, locations and network connections. Apple's latest update to macOS Mojave, version 10.14, removes support for all synthetic events, including synthetic clicks; while doing so eliminates the possibility that an attacker can exploit synthetic clicks, it will also break any software that uses the synthetic events legitimately.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in January 2019

Dig Deeper on Mobile security threats and prevention

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How has your enterprise been affected by synthetic clicks?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close