Last August, we spoke here on the site about a vulnerability in macOS High Sierra that made room for remote attacks through calls synthetic clicks – that is, actions analogous to a click but performed by software, silently. We commented at the time that macOS Mojave (and subsequent versions) would eliminate the problem simply by disabling synthetic clicks once and for all. Now, however, we know that it is not so.
The researcher Patrick Wardle – the same one that discovered the vulnerability last August – recently revealed that macOS Mojave continues to present a problem related to synthetic clicks, even though it blocked the action. The findings were revealed by him at his Objective By The Sea conference in Monaco.
It is explained: by default, Mojave actually blocks the action of synthetic clicks of any nature, but the impediment is not widespread. Some applications with older foundations, however, depend on the feature to function – one example is the VLC, which needs synthetic clicks to generate basic actions and activate plugins. For these apps to run on newer versions of macOS, Apple allows them to continue performing clicks, as long as they have a valid digital security certificate.
This is where the problem lies: according to Wardle, macOS Mojave has a flaw in this process of inspecting applications’ digital certificates. These certificates are designed to issue an error message if the app is compromised or performing malicious actions so that, on such an occasion, the system immediately blocks its operation. Mojave, however, only checks for the existence of such a certificate in a given application, without checking that it is properly “clean”.

With that, compromised apps could gain access to sensitive Mac components, such as the microphone, camera, messages, location or even deeper elements, such as Terminal and kernel of the machine. They could also allow you to install other, potentially malicious software, or even access system keys.
Wardle informed Apple about the vulnerability before revealing it to the world, but Apple did not comment on the case; it is to be expected that the company’s engineers are working tirelessly on a solution, since the failure is serious. We will be waiting for any news about the case.
via TechCrunch