A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.
In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.
The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.
Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.
In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.
This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.
The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.
Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.
22 comments
The United States Justice Department is launching a broad antitrust review into whether major technology companies are unlawfully stifling competition, reports The Wall Street Journal.
The DoJ...
Apple this week released iOS 12.4, the newest version of iOS 12 available for iPhones and iPads. One of the new features in iOS 12.4 is an updated data migration option that uses device to device...
Apple's mobile apps are often first in App Store search results ahead of competitors, according to a new analysis done by The Wall Street Journal.
For basic searches like "maps,"...
Apple plans to release an all-new 16-inch MacBook Pro in October, according to supply chain sources cited by Taiwan's Economic Daily News.
The report claims the 16-inch display will be a...
Apple is widely expected to unveil a trio of new iPhones in September, and 9to5Mac has revealed a few new features we can expect.
First, the report claims all three models will feature a...
Apple earlier this month introduced a surprise update to its MacBook Pro line, overhauling the entry-level 13-inch machine to bring it in line with more expensive models that were updated back in...
Apple is now in advanced talks to purchase Intel's smartphone modem chip business, reports The Wall Street Journal, citing people familiar with Apple's plans.
A deal that covers a...
Apple's iPhone XR was the best selling iPhone in the third fiscal quarter of 2019, according to new data shared today by Consumer Intelligence Research Partners (CIRP).
The iPhone XS, iPhone...
