Another Unpatched Vulnerablity Exists In macOS Mojave

Hot off the heels of this vulnerability that Apple hasn’t seen fit to fix comes another one that I would rate as dangerous and is also not fixed.

new report from ZDNet details that Patrick Wardle who has found numerous other exploits in Apple operating systems over the years details a new exploit that he released details about at the Objective By the Sea conference in Monte Carlo. Specifically how malicious software could manipulate code run by an older installed application to bypass safeguards Apple has put on user data and sensitive components such as the camera and microphone. There’s two things that this vulnerability relies upon:

The new technique is possible because of the Transparency Consent and Control (TCC) system. Wardle says the TCC contains a compatibility database in the form of a file named AllowApplications.plist.

This file lists apps and app versions that are allowed to access various privacy and security features, including synthetic events.

“This is an area where Apple often struggles – comprehensively patching bugs or bug classes,” Wardle told ZDNet. “I thought they had got it right in Mojave, as they appeared initially to just block all synthetic clicks. But as always the devil is in the details,” he said.


According to Wardle, this hidden TCC database contains a bug that can be exploited to grant malicious threat actors access to synthetic events.

macOS is supposed to verify that an app requesting access to synthetic events is in fact on the TCC list. It does this by verifying if the app has been signed and if the file has been tampered with. However, Wardle says that only the first check is performed.

This allows a malicious threat actor who has minimal access to a system to download any of the apps found in the AllowApplications.plist file, append code that interacts with synthetic events, and run it to bypass Apple’s existing ban on synthetic events.

This isn’t addressed at present which means that now that this is out there, attacks are likely inbound. Thus I hope that Apple is paying attention and addressing not only this vulnerability, but the other one that has been out there for a while.

Leave a Reply

%d bloggers like this: