Safari comes standard with every single Apple device that you own, it’s apples very own go-to browser. Earlier this week the DropBox team released details of three critical vulnerabilities in Apple macOS. Throughout this article, we will demonstrate how the vulnerabilities were discovered and what you can do to make sure that you or your company are protected.
The reported vulnerabilities were originally discovered by Syndis, a cybersecurity firm that has been hired by Dropbox to conduct simulated penetration testing attacks as Red Team on the company’s IT infrastructure, including Apple software used by Dropbox employees.
Dropbox did the responsible thing and disclosed to Apple’s security team in February this year, which were then patched by Apple after one month from initial discovery within their March security updates.
According to DropBox, the vulnerabilities discovered by Syndis didn’t just affect its macOS fleet but also affected all Safari users running the latest version of the web browser and operating system at the time.
list of the three reported (then-zero-day) vulnerabilities:
- The first flaw (CVE-2017-13890) that resided in CoreTypes component of macOS allowed Safari web browser to automatically download and mount a disk image on visitors’ system through a maliciously crafted web page.
- The second flaw (CVE-2018-4176) resided in the way Disk Images handled .bundle files, which are applications packaged as directories. Exploiting the flaw could have allowed an attacker to launch a malicious application from mounted disk using a bootable volume utility called bless and its –open folder argument.
- The third vulnerability (CVE-2018-4175) involved a bypass of macOS Gatekeeper anti-malware, allowing a maliciously crafted application to bypass code signing enforcement and execute a modified version of Terminal app leading to arbitrary commands execution.
How did this vulnerability work?
The researchers, acting like black hat hackers, were able to create a two-stage attack by chaining together all the three vulnerabilities to take control of a Mac computer just by convincing a victim into visiting a malicious web page with Safari.
“The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition, it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/Terminal.app without prompt,” DropBox says in its blog post.
“The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt.”
What do I need to do?
Even though Apple released security updates on March 29 that included the security fixes for the vulnerabilities mentioned in this article. We still have come across devices that are still exposed and we want to bring awareness to this as it has not been a broad topic in the media and users are still being hacked. If you’re reaching this please make sure that you install the latest monthly security updates in order to protect your systems against any threat, especially company devices that usually don’t receive the necessary updates.
Other Articles You May Enjoy:
- Official IT Provider For The Australian Open
- Dangerous Zero-Day Found In iPhone X, Samsung Galaxy S9 Phones
- 10 Reasons Your Business Benefits With MSP
- Trend Micro Cloud Email Gateway (key features)