Earlier this week, the Dropbox security team disclosed three severe vulnerabilities affecting the Apple macOS operating system. These vulnerabilities could potentially enable a remote attacker to execute malicious code on a targeted Mac by simply persuading a user to visit a harmful webpage.
The vulnerabilities were initially identified by Syndis, a cybersecurity firm engaged by Dropbox to perform simulated penetration tests as part of a Red Team assessment on Dropbox’s IT infrastructure, which includes the Apple software utilized within the organization.
The findings were communicated to Apple’s security team in February, resulting in a prompt response and subsequent patches released over a month later, as part of Apple’s March security updates. Dropbox commended Apple for its swift action following the vulnerability report.
Importantly, the vulnerabilities identified by Syndis not only impacted Dropbox’s macOS systems but also affected all users of the Safari web browser operating on the latest version of macOS at that time.
The three reported vulnerabilities and their respective identifiers are as follows:
The first vulnerability, designated CVE-2017-13890, resided within the CoreTypes component of macOS. This allowed Safari to automatically download and mount a disk image onto users’ systems by directing them to a specially crafted webpage.
The second vulnerability, CVE-2018-4176, was linked to the handling of .bundle files within Disk Images. An attacker could exploit this flaw, launching a malicious application from a mounted disk using a command-line utility known as bless, coupled with the –openfolder argument.
The third issue, identified as CVE-2018-4175, involved a bypass of the macOS Gatekeeper, which is designed to prevent the execution of unverified applications. This allowed an attacker-crafted application to side-step code signing enforcement, leading to arbitrary command execution through a modified version of the Terminal app.
In a proof-of-concept demonstration, researchers successfully orchestrated a two-stage attack leveraging these vulnerabilities. This process commenced by modifying Terminal to register a new file extension (.workingpoc) and creating a blank folder named “test.bundle,” which automatically triggered Terminal without prompting the user.
Following these events, Apple released security updates on March 29, which addressed the vulnerabilities in question. It remains crucial for users and businesses to consistently install monthly security updates to safeguard their systems from potential threats.
Given the nature of these vulnerabilities, tactics relevant to the MITRE ATT&CK framework that could potentially be associated with this attack include initial access and command and control techniques. Such vulnerabilities underscore the need for continual vigilance in cybersecurity practices, particularly in the context of remote access and web-based threats.
For further insights and ongoing updates on cybersecurity topics, follow us on Google News, Twitter, and LinkedIn.