When you shut down your Mac, you receive a pop-up message saying that “Are you sure you want to shut down your computer now?” In the pop-up message, there is a checkbox that says if you want to reopen currently opened windows when you open your machine later. Thijs Alkemade, a security researcher at cybersecurity firm Computest in the Netherlands was able to find a vulnerability in that “saved state” feature that can be used to break through macOS security easily.
MacOS Vulnerability in the “Saved State” Feature
The vulnerability triggered by a process injection attack can easily exploit macOS security and let attackers access all files on a Mac and also acquire control of the webcam. As per Alkemade research, the attack is not restricted to the saved state feature. Once Alkemade successfully deployed the initial attack on that feature, he was able to move easily through other elements of the Apple ecosystem. He escaped through the macOS sandbox, which is meant to restrict successful hacks on a single app. Moreover, he was also able to escape the System Integrity Protection (SIP), which is meant to prohibit authorized code from gaining access to sensitive files on a Mac.
The attack can be launched in multiple steps, but the most fundamental approach is the initial process injection vulnerability. Through process injection attacks, hackers are able to inject code into the system and then execute code differently than it was originally intended. Alkemade says that process injection vulnerability in an app is not uncommon. Still, the one detected in the saved state feature is so universally applicable that is not seen commonly.
The flaw detected by Alkemade is in the “serialized” object involved in the saved state system, which is meant to save windows/apps that you have opened while shutting down the Mac. Moreover, you can also run the saved state system while using the Mac through a process called App Nap.
Alkemade says that when the application is launched, it reads some files and then loads them through the serialized object insecure version. Serialized objects are used in many places in Apple’s operating system, frequently for inter-process data exchange. According to Alkemade, the attack works by creating those files in places where other applications will load them. So, a malicious “serialized object” is created that makes the system respond in ways it is not expected to.
Afterward, Alkemade managed to use the vulnerability to bypass the Mac app sandbox, which was the first flaw fixed by Apple. So, by injecting code into another application, it is easy to expand the scale and damage of the vulnerability. Lastly, Alkemade managed to escape the System Integrity Protection, which is meant to prohibit unauthorized code from accessing or modifying sensitive files. Eventually, Alkemade was able to access all the files on the Mac and was also able to change a few system files.
Apple’s Response to the Vulnerability
Alkemade detected the vulnerability in December 2020 and used Apple’s bug bounty scheme to report the vulnerability. Apple acknowledged the existence of the vulnerability and paid a significant amount to Alkemade for this research. Afterward, Apple issued a major update to address this vulnerability in October 2021.
Apple didn’t have any idea of the vulnerability before Alkemade’s research. Moreover, the security update Apple issued against the vulnerability comes with very few details. However, they do say that this issue might empower malicious apps to leak sensitive data of the user and might also allow privileges to the attacker to move within the system easily.
We can also see changes made by Apple in Xcode, which is Apple’s development workspace meant for app creators. The October 2021 fix of the vulnerability was for Macs that are running the Monterey OS version, which means that the older versions of macOS might still be vulnerable to this attack.
The vulnerability detected by Alkemade has the potential to cause severe damage, especially to older versions of macOS that didn’t receive the upgrade. Moreover, the flaw can even sometimes allow attackers to easily access the entire operating system, which means more access to data. Alkemade suggests a need to reexamine different parts of the system because the macOS local security is gradually moving towards an iOS model. Till today, there are no reports on whether the vulnerability has been used by attackers in the real world.