A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.
In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.
The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.
Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.
In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.
The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.
Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.
This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.
The standard defenses built into macOS – Gatekeeper, for example – are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.
Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.
22 comments
As we reported this morning, Apple today cut the prices of higher-end MacBook Pro SSD upgrades by up to $400, and as it turns out, there have been pricing changes to components in other Mac...
Apple's long-awaited AirPower could be launching in the near future, based on coding changes that 9to5Mac's Guilherme Rambo says he found in the latest iOS 12.2 beta, released yesterday...
A new Sports Illustrated article offers a look inside Apple's so-called sports surveillance room at its Results Way office complex in Cupertino, California, where a team of Apple employees have...
Alongside a refresh of the iMac and new Radeon Pro Vega graphics options for the iMac Pro, Apple today quietly lowered the price of some of the storage upgrade options for the MacBook Pro.
2TB...
With less than one week to go until Apple's "It's Show Time" media event, the company is said to still be courting major news companies to join its revamped Apple News subscription...
Apple may have plans to announce a new seventh-generation iPod touch in a press release as early as tomorrow.
MacRumors received a tip earlier this month claiming that Apple would announce new...
The Verge has obtained never-before-seen photos of a development board for the original iPhone, providing an interesting look back at the measures Apple took to ensure the smartphone remained as much...
Alongside a spec bump to standard iMac models, Apple today quietly added 256GB RAM and Radeon Pro Vega 64X graphics options to the iMac Pro.
Upgrading to 256GB of 2,666MHz DDR4 ECC memory...
