every time you Shut down your Mac and a pop-up will appear: “Are you sure you want to shut down your computer now?” Below the prompt is another option that most of us probably overlook: reopen the applications you have now open when you turn the machine back on and window selection. Researchers have now found a way to exploit a vulnerability in this “saved state” feature — which could be used to compromise a key layer of Apple’s security protections.
Thijs Alkemade, a security researcher at Dutch cybersecurity firm Computest, said the vulnerability is vulnerable to a process injection attack to breach macOS security, potentially allowing an attacker to read every file on a Mac or control a webcam. defect. “It’s basically a vulnerability that can be applied in three different places,” he said.
After deploying an initial attack on the save-state feature, Alkemade was able to traverse the rest of the Apple ecosystem: first escape the macOS sandbox, which was designed to confine successful hacks to one app, and then bypass the system integrity Security Protection (SIP ), a key defense designed to block authorization codes from accessing sensitive files on your Mac.
Alkemade, who presented the work at the Black Hat conference in Las Vegas this week, first discovered the vulnerability in December 2020 and reported the issue to Apple through its bug bounty program. He said he was paid “pretty well” for the research, although he declined to elaborate on the exact amount. Apple has since released two updates to fix the vulnerability, the first in April 2021 and the second in October 2021.
When asked about the flaw, Apple said it had no comment prior to the Alkemade demo. The company’s two public updates on the vulnerability did not elaborate, but they said the issues could allow malicious apps to leak sensitive user information and elevate an attacker’s privileges to move around the system.
A blog post describing the Alkemade attack said Apple’s changes could also be seen in Xcode, the company’s development workspace for app creators. While Apple has fixed issues with Macs running the Monterey operating system released in October 2021, previous macOS versions are still vulnerable, the researchers said.
There are multiple steps to a successful attack, but fundamentally they go back to the original process injection vulnerability. Process injection attacks allow hackers to inject code into a device and run the code differently than originally intended.
Attacks are not uncommon. “Often process injection vulnerabilities can be found in specific applications,” Alkemade said. “But it’s very rare to have such a general finding,” he said.
The vulnerability discovered by Alkemade is in a “serialized” object in the saved state system, which saves the applications and windows you have open when you shut down your Mac. This saved state system can also run while the Mac is in use, in a process called App Nap.
