News Centre

How Opening Safari Could Have Hacked Your Apple Device

Article by
November 25, 2018


apple - Tech Patrol

Safari comes standard with every single Apple device that you own, it’s apples very own go-to browser. Earlier this week the DropBox team released details of three critical vulnerabilities in Apple macOS. Throughout this article, we will demonstrate how the vulnerabilities were discovered and what you can do to make sure that you or your company are protected. 

The reported vulnerabilities were originally discovered by Syndis, a cybersecurity firm that has been hired by Dropbox to conduct simulated penetration testing attacks as Red Team on the company’s IT infrastructure, including Apple software used by Dropbox employees.

Dropbox did the responsible thing and disclosed to Apple’s security team in February this year, which were then patched by Apple after one month from initial discovery within their March security updates.

According to DropBox, the vulnerabilities discovered by Syndis didn’t just affect its macOS fleet but also affected all Safari users running the latest version of the web browser and operating system at the time.

list of the three reported (then-zero-day) vulnerabilities:

  1. The first flaw (CVE-2017-13890) that resided in CoreTypes component of macOS allowed Safari web browser to automatically download and mount a disk image on visitors’ system through a maliciously crafted web page.
  2. The second flaw (CVE-2018-4176) resided in the way Disk Images handled .bundle files, which are applications packaged as directories. Exploiting the flaw could have allowed an attacker to launch a malicious application from mounted disk using a bootable volume utility called bless and its –open folder argument.
  3. The third vulnerability (CVE-2018-4175) involved a bypass of macOS Gatekeeper anti-malware, allowing a maliciously crafted application to bypass code signing enforcement and execute a modified version of Terminal app leading to arbitrary commands execution.





How did this vulnerability work?

The researchers, acting like black hat hackers, were able to create a two-stage attack by chaining together all the three vulnerabilities to take control of a Mac computer just by convincing a victim into visiting a malicious web page with Safari.

“The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition, it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/ without prompt,” DropBox says in its blog post.

“The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt.”


What do I need to do?

Even though Apple released security updates on March 29 that included the security fixes for the vulnerabilities mentioned in this article. We still have come across devices that are still exposed and we want to bring awareness to this as it has not been a broad topic in the media and users are still being hacked. If you’re reaching this please make sure that you install the latest monthly security updates in order to protect your systems against any threat, especially company devices that usually don’t receive the necessary updates.




Other Articles You May Enjoy:



Share your thoughts in the Comments section:

Subscribe For The Latest In Technology

Other Posts You May Like


Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.


Microsoft Azure

Introduction to Azure – A Core Cloud Service

Microsoft Responds to COVID-19

Microsoft Responds To COVID-19 By Offering E1 Licenses Free For The Next 6-Months


Microsoft Teams vs Zoom. What is right for your business?

Microsoft Azure

Azure Firewall Manager now supports virtual networks.

White Paper

Enjoy this free eBook

Tech Patrol - Microsoft Office 365

White Paper (Why businesses Are Migrating to Cloud)

  • This field is for validation purposes and should be left unchanged.
Scroll to Top