A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.

malicious attack safari
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.

Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!

In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.

malicious exploit safari
The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

Top Rated Comments

Kebabselector Avatar
82 months ago
Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.
Surely this should be the default position for any user regardless of the exploit or not.
Score: 9 Votes (Like | Disagree)
NaOH Avatar
82 months ago
There have been a few previous security vulnerabilities relating to Safari on the Mac, where allowing Safari to open 'safe' files was the entry vector.

Ever since the first such vulnerability, it's been my opinion that the safest approach is to simply leave that option turned off permanently. Particularly as it doesn't really add much convenience. I very rarely want to open a file as soon as it's been downloaded. Also, opening a file manually involves two clicks at the very most.

Anyway, I feel this is one instance where security outweighs convenience by a very wide margin.
Score: 8 Votes (Like | Disagree)
Porco Avatar
82 months ago
I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.
Score: 7 Votes (Like | Disagree)
twistedpixel8 Avatar
82 months ago
Surely this should be the default position for any user regardless of the exploit or not.
It shouldn’t even be a feature. How lazy do you have to be if you can’t double click an archive?!
Score: 6 Votes (Like | Disagree)
Justanotherfanboy Avatar
82 months ago
His snarky “thanks Apple!” comment seemed a bit unprofessional for a security researcher.
Surely he must be aware that all tech companies don’t try to have security holes... & if none existed whatsoever, he’d be out of a job.
Score: 5 Votes (Like | Disagree)
MrGimper Avatar
82 months ago
I only came here to doff my cap for the use of the word "hoodwinks"
Score: 4 Votes (Like | Disagree)

Popular Stories

Generic iOS 18

Apple Announces iOS 18.2 Launching Today With These New Features

Wednesday December 11, 2024 5:23 am PST by
Apple has announced that iOS 18.2, iPadOS 18.2, and macOS Sequoia 15.2 will be released today following more than six weeks of beta testing. For the iPhone 15 Pro and iPhone 16 models, the update introduces additional Apple Intelligence features, including Genmoji for creating custom emoji, Image Playground and Image Wand for generating images, and ChatGPT integration for Siri. There is also ...
iphone 17 pro concept render cameras

Major iPhone 17 Pro Redesign Backed by Supply Chain Info, Claims Leaker

Thursday December 12, 2024 4:36 am PST by
Next year's iPhone 17 Pro models will reportedly feature a major redesign, specifically centering around changes to the rear camera module, and now new supply chain information appears to confirm the striking change, according to a Chinese leaker. iPhone 17 Pro concept render Late last month, The Information's Wayne Ma claimed that the rear of the ‌iPhone 17‌ Pro and ‌iPhone 17‌ Pro...
m4 mac mini hands on

Cloud-Based M4 and M4 Pro Mac Mini Models Now Available

Wednesday December 11, 2024 7:34 am PST by
Developers now have access to cloud-based M4 and M4 Pro Mac mini units via MacWeb, a Silicon Valley-based provider of cloud services. The company has launched three configurations of the new Mac mini, powered by Apple's M4 and M4 Pro chips. Developers and IT teams can rent these machines for tasks ranging from basic development to advanced artificial intelligence modeling, providing an...
macOS Sequoia Night Feature

Apple Releases macOS Sequoia 15.2 With New Apple Intelligence Features

Wednesday December 11, 2024 10:02 am PST by
Apple today released macOS Sequoia 15.2, the second update to the macOS Sequoia operating system that was released in September. macOS Sequoia 15.2 comes over a month after the release of macOS Sequoia 15.1. Mac users can download the ‌macOS Sequoia‌ update through the Software Update section of System Settings. macOS Sequoia 15.2 adds Image Playground, an app that lets you create...
macbook air m2 13 inch

macOS Sequoia 15.2 Confirms New M4 MacBook Air Models Are Coming

Wednesday December 11, 2024 10:54 am PST by
Apple today made a mistake with its macOS Sequoia 15.2 update, releasing the software for two Macs that have yet to be launched. There is a software file for "Mac16,12" and "Mac16,13," which are upcoming MacBook Air models. The leaked software references the "MacBook Air (13-inch, M4, 2025)" and the "MacBook Air (15-inch, M4, 2025)," confirming that new M4 MacBook Air models are in...
maxresdefault

Apple Releases iOS 18.2 and iPadOS 18.2 With Genmoji, Image Playground, Siri ChatGPT and More

Wednesday December 11, 2024 10:03 am PST by
Apple today released iOS 18.2 and iPadOS 18.2, the second major updates to the iOS 18 and iPadOS 18 updates that came out in September. The new updates come over a month after Apple released iOS 18.1 and iPadOS 18.1. Subscribe to the MacRumors YouTube channel for more videos. The new software can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General >...
apple tv purple

New Apple TV and HomePod Mini Launching in 2025

Thursday December 12, 2024 10:39 am PST by
Apple plans to refresh both the Apple TV and the HomePod mini in 2025 as part of a major push into refreshing its smart home product offerings, reports Bloomberg's Mark Gurman. In a report on an upcoming Apple-designed Bluetooth and Wi-Fi chip, Gurman says that the chip will be introduced in a new Apple TV and HomePod mini that are "scheduled" for 2025. While there is no exact timeline...