"Known macOS Vulnerabilities Led Researcher to Root Out New Flaws"
A researcher named Csaba Fitzl discovered some new Apple macOS vulnerabilities by studying and analyzing previous bug reports. One of the vulnerabilities he discovered was a mirror image of a logic flaw that a team of researchers found and executed at the 2020 Pwn2Own contest. Fitzl said he reread and studied the team's winning six-exploit chain that allowed them to hack macOS. One of the exploits in the chain used a privilege escalation bug, which was later fixed by Apple. However, he still found an existing hole, stating that although Apple fixed the bug properly, there was still an additional function that enabled another vulnerability to be exploited differently than the original one. Apple's original fix for the flaw allowed an attacker to change the ownership of a directory in macOS, but Fitzl found that he could create a new directory on the targeted system, thus allowing an attacker to escalate their privileges on macOS. Although different techniques must be used to get through to the system, creating an arbitrary directory anywhere on the system could elevate one's privileges to root. It is considered the same logic flaw but in a different piece of the code. Fitzl revealed that he did not detect signs of the new flaws linked to previous research until he reread research papers. The other two flaws he discovered include one that expanded a study conducted by Mickey Jin, another researcher who found a bypass for a patch released to fix the XCSSET malware, which targeted Apple's built-in Transparency, Consent, and Control (TCC) privacy and security framework. This malware allows attackers to steal sensitive user and developer information from applications installed on a Mac machine. Fitzl noticed an underlying weakness in the TCC framework that would result in an attacker bypassing TCC if exploited. Together with Wojciech Regula, the head of mobile security at SecuRing, Fitzl found that it is possible to generically bypass TCC through an inherent vulnerability that emerged in previous research. While macOS uses code-signing and relies on the verification of code-signing, TCC was not verifying a running process but rather verifying binary code on the disk. This article continues to discuss how Fitzl discovered newer Apple macOS vulnerabilities as well as recommendations for protecting macOS.
Dark Reading reports "Known macOS Vulnerabilities Led Researcher to Root Out New Flaws"