Apple Silently Patches OS Hole

Friday, September 29, 2017 @ 12:09 PM gHale


Apple silently patched a macOS vulnerability that can end up exploited to bypass security features and execute arbitrary JavaScript code without restrictions.

The issue, discovered by Filippo Cavallarin of Italian security firm Segment, has been described as a local JavaScript quarantine bypass flaw and it has been assigned a risk rating of 3/5.

RELATED STORIES
Apple Patches Series of Vulnerabilities
High Sierra Zero Day Exploit
Bluetooth Devices Susceptible to Attack
ICSJWG: Change in Security Approach Needed

“This issue has been silently fixed in Mac OS X High Sierra and (at time of writing) there is no mention of this bug in Apple’s changelog,” said the Segment blog post. “No CVE has been assigned by Apple.”

When a file is downloaded from the Internet, macOS places it in “quarantine” by assigning it the com.apple.quarantine extended attribute. This ensures the user is alerted of the potential security risks before the file is executed.

Cavallarin said he found a way to bypass the file quarantine feature by exploiting DOM-based cross-site scripting (XSS) vulnerabilities in an HTML file named rhtmlPlayer.html, which is stored in the /System/Library/CoreServices folder of the OS.

This file contains two DOM-based XSS vulnerabilities that can be exploited by hackers via Uniform Resource Identifier (URI) components, Cavallarin said.

One way to exploit the flaw is to use .webloc files, which allow users to save website addresses to the local system. On macOS, these types of files are automatically opened with the Safari web browser.

The attacker needs to embed the JavaScript code they want executed into a .webloc file, send it to the victim, and convince them to open it.

The issue ended up addressed without any mention in macOS High Sierra 10.13, which Apple released earlier this week.



Leave a Reply

You must be logged in to post a comment.