Mac Mojave Zero-Day Allows Malicious Apps to Access Sensitive Info

[silversurfer]

A zero-day vulnerability in the brand-new version of the Apple Mojave macOS has been uncovered, which would allow an attacker to access private and confidential information by using an unprivileged app.

The flaw was uncovered by Patrick Wardle, co-founder of Digita Security and creator of Objective-See Mac security tools. On Monday, Wardle announced on Twitter that: “Mojave’s ‘dark mode’ is gorgeous…but its promises about improved privacy protections? kinda #FakeNews.”

Mac Mojave 10.14, released on Monday, contains security fixes for several issues, and introduces new user data protections. These require explicit consent by users for apps to access sensitive areas like location services, contacts, calendars, reminders, photos and so on. It’s a measure meant to thwart malicious actors looking to use synthetic clicks to simulate human finger touches and gain access to private information. Now, authorization prompts pop up that require direct, real user interaction before an app can tap sensitive information. However, users can whitelist (i.e., preauthorize) trusted apps.

Source: https://threatpost.com/mac-mojave-zero-d...fo/137674/