A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.

malicious attack safari
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.

Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!

In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.

malicious exploit safari
The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

Top Rated Comments

Kebabselector Avatar
75 months ago
Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.
Surely this should be the default position for any user regardless of the exploit or not.
Score: 9 Votes (Like | Disagree)
NaOH Avatar
75 months ago
There have been a few previous security vulnerabilities relating to Safari on the Mac, where allowing Safari to open 'safe' files was the entry vector.

Ever since the first such vulnerability, it's been my opinion that the safest approach is to simply leave that option turned off permanently. Particularly as it doesn't really add much convenience. I very rarely want to open a file as soon as it's been downloaded. Also, opening a file manually involves two clicks at the very most.

Anyway, I feel this is one instance where security outweighs convenience by a very wide margin.
Score: 8 Votes (Like | Disagree)
Porco Avatar
75 months ago
I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.
Score: 7 Votes (Like | Disagree)
twistedpixel8 Avatar
75 months ago
Surely this should be the default position for any user regardless of the exploit or not.
It shouldn’t even be a feature. How lazy do you have to be if you can’t double click an archive?!
Score: 6 Votes (Like | Disagree)
Justanotherfanboy Avatar
75 months ago
His snarky “thanks Apple!” comment seemed a bit unprofessional for a security researcher.
Surely he must be aware that all tech companies don’t try to have security holes... & if none existed whatsoever, he’d be out of a job.
Score: 5 Votes (Like | Disagree)
MrGimper Avatar
75 months ago
I only came here to doff my cap for the use of the word "hoodwinks"
Score: 4 Votes (Like | Disagree)

Popular Stories

maxresdefault

iPhone SE 4 With Face ID Said to Be Priced Below $500

Monday May 20, 2024 3:43 am PDT by
Apple is targeting a sub-$500 starting price for its upcoming fourth-generation iPhone SE model despite a raft of rumored upgrades coming to the more affordable device. According to leaker Revegnus on X, the U.S. launch price of the fourth-generation iPhone SE will either remain at the same $429 starting price as the current model, or will see an increase of around 10%. Either way, Apple's...
iOS 17

Apple Releases iOS 17.5.1 With Fix for Reappearing Photos Bug

Monday May 20, 2024 10:11 am PDT by
Apple today released iOS 17.5.1 and iPadOS 17.5.1, minor updates to the iOS 17 and iPadOS 17 operating system updates that came out last September. The 17.5.1 updates come a week after the launch of iOS 17.5 and iPadOS 17.5. iOS 17.5.1 and iPadOS 17.5.1 can be downloaded on eligible iPhones and iPads over-the-air by going to Settings > General > Software Update. According to Apple's...
iPhone 16 Pro Max Generic Feature 2

5 Biggest Changes Rumored for iPhone 16 Pro Max

Tuesday May 21, 2024 7:29 am PDT by
Given Apple's rumored plan to add an all-new high-end tier to its iPhone 17 series in 2025, this could be the year for Apple to bring its boldest "Pro Max" model to the table — the kind of iPhone 16 upgrade that stands tall above its siblings, both figuratively and literally. If you have been holding out for the iPhone 16 Pro Max, here are five of the biggest changes rumored to be coming...
microsoft surface pro qualcomm

Microsoft Says New Surface Pro is Faster Than 15" M3 MacBook Air

Monday May 20, 2024 3:19 pm PDT by
Microsoft is going all in on AI, today introducing a series of Copilot+ PCs that have AI-focused hardware. The new Surface Pro is one of the first Copilot+ PCs, equipped with Qualcomm's Arm-based Snapdragon X Elite processor. Microsoft is already pitting the Surface Pro against Apple's M3 MacBook Air, and in marketing materials, claims that the Surface Pro has superior processing power and...
iPhone 16 Camera Lozenge 2 Perspective

iPhone 16 Lineup Rumored to Come in These Two New Colors

Sunday May 19, 2024 11:08 am PDT by
Apple analyst Ming-Chi Kuo today outlined his expectations for the iPhone 16 lineup's color options, revealing that two new colors should replace two of the existing shades. Kuo outlined his expectations in a post on X (formerly Twitter) earlier today. He believes that the iPhone 16 Pro and iPhone 16 Pro Max will be available in black, white or silver, gray or "Natural Titanium," and rose....