12-August-2022, min readtime

Computest ethical hacker finds serious vulnerability in Apple's macOS

This week, the vulnerability in Apple's macOS discovered by Thijs Alkemade, ethical hacker at Computest Security, will be presented at the biggest international hacker conferences – Black Hat and DEF CON. The vulnerability in question is a ‘process injection vulnerability’. It allowed all macOS AppKit-based applications to be exploited to gain access to other applications and the system itself. Apple has since fixed the vulnerability with an update in macOS Monterey.

By exploiting the process injection vulnerability in macOS, individuals with malicious intent were able to access the privileges of other applications via a single application and use them for nefarious purposes – for example, turning on the camera or microphone unnoticed or even gaining access to the entire system. This would also make it quite easy to install malware, for instance. What makes the vulnerability particularly interesting is that it is universally applicable to all AppKit-based applications.

Vulnerability in an unexpected location

Alkemade adds that this vulnerability was found in an unexpected location. It was in a functionality that was developed a decade ago: the ‘saved state’ feature. Thanks to this feature, when you restart your computer, the system offers to reopen the windows you previously had open. When saved state was developed, there was no vulnerability yet, because at that time there was not such a multitude of applications, all with different privileges. This variety of permissions also means the vulnerability could potentially have a big impact.

Kwetsbaarheid macOS

"It is understandable that features developed long ago don’t always take account of today's technology. Really, the system ought to be regularly examined in its entirety," says Alkemade. "However, that usually doesn't happen because the focus is on developing new features. But in many cases, as a system becomes larger and more comprehensive, it also becomes more vulnerable. It is important that organisations are aware of this and take appropriate security measures."

Alkemade reported the security vulnerability to Apple and also provided information on how the security vulnerability could be exploited. For this, he was awarded a so-called bug bounty. Apple has since fixed the vulnerability by issuing an update for macOS Monterey. In addition, changes have been made to Appkit's documentation to allow developers to build new applications and features without the vulnerability.

Award-winning hacks

Alkemade's research on macOS adds to an impressive track record. Together with his colleague Daan Keuper, he devotes his time at Computest Security entirely to research in a dedicated lab. They already have a number of award-winning hacks to their name. For instance, Alkemade and Keuper have won the international hacking competition Pwn2Own twice by hacking Zoom and identifying vulnerabilities in industrial systems. They have also exposed vulnerabilities in several Volkswagen Group cars.

>> You can read more about the vulnerability and the investigation in this blog.

About Computest

Founded in 2005, Computest are experts in Cybersecurity, Performance and DevOps. It consists of two divisions: Computest Security and Computest DevOps. Computest Security provides customers with independent advice & implementation in the field of risk management, continuous preventive security, performance, information security and governance control. Computest DevOps covers all possible roles and specialisations within DevOps. This is to guide organisations to a higher level of maturity in DevOps. Computest has about 200 specialists and is located in Zoetermeer.

More information

Ethical hacker - Thijs Alkemade
e. talkemade@computest.nl
t. +31 (0) 6 24 19 33 89

PR & Communication - Chantal Schepers
e. chantal@itsarep.nl
t. +31 (0)6 23 50 99 23

This website works best with JavaScript enabled