A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.

malicious attack safari
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.

Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!

In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.

malicious exploit safari
The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

Tags: security, malware

Top Rated Comments

Kebabselector Avatar
Kebabselector
40 months ago
Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.
Surely this should be the default position for any user regardless of the exploit or not.
Score: 9 Votes (Like | Disagree)
NaOH Avatar
NaOH
40 months ago
There have been a few previous security vulnerabilities relating to Safari on the Mac, where allowing Safari to open 'safe' files was the entry vector.

Ever since the first such vulnerability, it's been my opinion that the safest approach is to simply leave that option turned off permanently. Particularly as it doesn't really add much convenience. I very rarely want to open a file as soon as it's been downloaded. Also, opening a file manually involves two clicks at the very most.

Anyway, I feel this is one instance where security outweighs convenience by a very wide margin.
Score: 8 Votes (Like | Disagree)
Porco Avatar
Porco
40 months ago
I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.
Score: 7 Votes (Like | Disagree)
twistedpixel8 Avatar
twistedpixel8
40 months ago
Surely this should be the default position for any user regardless of the exploit or not.
It shouldn’t even be a feature. How lazy do you have to be if you can’t double click an archive?!
Score: 6 Votes (Like | Disagree)
Justanotherfanboy Avatar
Justanotherfanboy
40 months ago
His snarky “thanks Apple!” comment seemed a bit unprofessional for a security researcher.
Surely he must be aware that all tech companies don’t try to have security holes... & if none existed whatsoever, he’d be out of a job.
Score: 5 Votes (Like | Disagree)
MrGimper Avatar
MrGimper
40 months ago
I only came here to doff my cap for the use of the word "hoodwinks"
Score: 4 Votes (Like | Disagree)
Read All Comments

Top Stories

mac scanner permission error

Apple Says Fix Planned for 'You Do Not Have Permission to Open the Application' Error When Using a Scanner on Mac

Saturday August 14, 2021 6:15 am PDT by
In a newly published support document on its website, Apple has acknowledged an error that some users may receive when they try to use a scanner with a Mac in the Image Capture app, Preview app, or the Printers & Scanners section of System Preferences. A screenshot of the error message from the HP Support Community When attempting to use a scanner with a Mac, Apple said users might get an...
Read Full Article102 comments
original iphone

Phil Schiller Says iPhone Was 'Earth-Shattering' Ten Years Ago and Remains 'Unmatched' Today

Monday January 9, 2017 7:15 am PST by
To commemorate the tenth anniversary of the iPhone, Apple marketing chief Phil Schiller sat down with tech journalist Steven Levy for a wide-ranging interview about the smartphone's past, present, and future. The report first reflects upon the iPhone's lack of support for third-party apps in its first year. The argument inside Apple was split between whether the iPhone should be a closed...
Read Full Article424 comments
Apple Prefer Lightning Over USB C Feature

iPhone Sticking With Lightning Port Over USB-C for 'Foreseeable Future'

Tuesday March 2, 2021 9:32 am PST by
Apple will retain the Lightning connector on the iPhone for the "foreseeable future," with no intention of switching to USB-C, according to reliable analyst Ming-Chi Kuo. In spite of much of the industry moving toward USB-C, Apple will not be using it to replace the Lightning connector on the iPhone 13, or indeed on any iPhone model for the time being. In a note seen by MacRumors yesterday,...
Read Full Article299 comments
apple california streaming event

Apple Event Announced: 'California Streaming' on September 14 With iPhone 13, Apple Watch Series 7 Expected

Tuesday September 7, 2021 9:03 am PDT by
Apple today announced that it will be holding a special event on Tuesday, September 14 at 10:00 a.m. The event will take place at the Steve Jobs Theater on the Apple Park campus in Cupertino, California. As with WWDC and last year's fall events, this new event will be held digitally with no members of the media invited to attend in person. Apple will likely provide pre-taped segments for...
Read Full Article257 comments
iOS 15 icon on phone

Apple Seeds Sixth Betas of iOS and iPadOS 15 to Developers

Tuesday August 17, 2021 10:05 am PDT by
Apple today seeded the sixth betas of iOS and iPadOS 15 to developers for testing purposes, with the updates coming one week after Apple released the fifth betas. Registered developers can download the profile for the iOS and iPadOS betas from the Apple Developer Center, and once the profile is installed, beta updates will be available over the air. iOS 15 is a major update that...
Read Full Article49 comments
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
Read Full Article95 comments
omg lightning cable comparison

Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords

Thursday September 2, 2021 6:59 am PDT by
A normal-looking Lightning cable that can used to steal data like passwords and send it to a hacker has been developed, Vice reports. The "OMG Cable" compared to Apple's Lightning to USB cable. The "OMG Cable" works exactly like a normal Lightning to USB cable and can log keystrokes from connected Mac keyboards, iPads, and iPhones, and then send this data to a bad actor who could be over a...
Read Full Article153 comments
maroon5memories

Apple Collaborates With Maroon 5 to Add 'Memories' Song to Photos App

Wednesday September 25, 2019 12:02 pm PDT by
Apple has teamed up with Maroon 5 to add the group's new song "Memories" to the Memories feature in the Photos app, allowing it to be used for photo slide show creations, reports Billboard. "Memories" will be available as a soundtrack option for a limited time and it is available to iPhone and iPad users running the latest iOS 13 and iPadOS software. Memories in the Photos app are created ...
Read Full Article31 comments
it home ecommerce app iphone 13

iPhone 13 to Launch on September 17, AirPods 3 on September 30, Claims Report

Wednesday August 25, 2021 2:42 am PDT by
Apple may be planning to launch the iPhone 13 on Friday, September 17 and third-generation AirPods on Thursday, September 30, according to an image of an e-commerce app discovered by Chinese language site IT Home. The screenshot, originally posted by Weibo account @PandaIsBald, suggests all four iPhone 13 models will go on sale on September 17, followed by the AirPods 3 on September 30....
Read Full Article74 comments
Top Stories 75 Thumbnail

Top Stories: Last-Minute iPhone 13 Rumors, Apple Announces App Store Changes, and More

Saturday September 4, 2021 6:00 am PDT by
The finish line is in sight! Apple's annual iPhone event is likely just a week or so away and all eyes will be on the company as it unveils the next version of its most popular product line. With any luck, we'll also see the next-generation Apple Watch and perhaps even some new AirPods. Other news this week saw Apple making some more changes to its App Store policies in response to a...
Read Full Article34 comments