Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

[MacRumors]

A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the "Do you want to allow..." popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app - like a PDF in Preview, for example - and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.

The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.

Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it's wise to automatically open "safe" files. This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user's filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!

In the next stage, the malicious web page runs code that can load or "browse" to the custom URL scheme, which causes macOS to activate the URL handler and launch the malicious application.

This action is enabled through the Safari user prompt that includes options to "Allow" or "Cancel" the process, however the popup text and available options are controlled by the attacker, and are therefore easily changed to trick or deceive the user.

The standard defenses built into macOS - Gatekeeper, for example - are said to be ineffective when it comes to the attack described above, and while Apple could always revoke the malicious app's signature, that course of action would obviously be too late for anyone who had already gone ahead and launched it.

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

Article Link: Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

 

[Kebabselector]

Until then, turning off automatic unzipping of "safe" files should be enough to prevent the malicious procedure from ever occurring. Concerned users can do so by clicking the Safari menu bar, selecting Preferences..., and under the General tab, unchecking Open "safe" files after downloading.

Surely this should be the default position for any user regardless of the exploit or not.

 

[jel888]

So glad that I don't have this option checked! Thanks! Also, if you are the rare macOS user who does have a malware or antivirus app, does this apply still? As in, if your malware or antivirus is set up to check the opening of files (whether "safe" or not), then might this help prevent the code from running and thus installing a malicious code?

 

[maflynn]

Yikes, that's scary stuff - I had to check to make sure Safari doesn't automatically open "safe" items.

 

[ArtOfWarfare]

So glad that I don't have this option checked! Thanks! Also, if you are the rare macOS user who does have a malware or antivirus app, does this apply still? As in, if your malware or antivirus is set up to check the opening of files (whether "safe" or not), then might this help prevent the code from running and thus installing a malicious code?

I’d think it wouldn’t necessarily help. My understanding is all antivirus apps do is scan files for known virus signatures.

It’d help against anything from a script-kiddie, but so long as the person who did this actually wrote their own malicious app rather than relying on something preexisting, then there’d be nothing for the antivirus app to tell you was definitely dangerous.

It could always tell you nobody had verified the program was actually safe, I guess, but my antivirus on Windows at work tells me that a lot and I always ignore it. I’d guess with AV being so uncommon on macOS, the library of apps it would recognize as definitely safe would be even smaller.

 

[NaOH]

There have been a few previous security vulnerabilities relating to Safari on the Mac, where allowing Safari to open 'safe' files was the entry vector.

Ever since the first such vulnerability, it's been my opinion that the safest approach is to simply leave that option turned off permanently. Particularly as it doesn't really add much convenience. I very rarely want to open a file as soon as it's been downloaded. Also, opening a file manually involves two clicks at the very most.

Anyway, I feel this is one instance where security outweighs convenience by a very wide margin.

 

[jel888]

I’d think it wouldn’t necessarily help. My understanding is all antivirus apps do is scan files for known virus signatures.

It’d help against anything from a script-kiddie, but so long as the person who did this actually wrote their own malicious app rather than relying on something preexisting, then there’d be nothing for the antivirus app to tell you was definitely dangerous.

It could always tell you nobody had verified the program was actually safe, I guess, but my antivirus on Windows at work tells me that a lot and I always ignore it. I’d guess with AV being so uncommon on macOS, the library of apps it would recognize as definitely safe would be even smaller.

Thanks! I'm using Malwarebytes (which Apple actually uses when checking thinks, at least their tech did a few times when I've called) and also Bitdefender (really like and they have an extensive library I think even for Mac), but I definitely agree with you that we tend to ignore the kind of warnings you mentioned about verified certificates.

Bitdefender recently made what I think is a major improvement in it's notifications. It tells me that an app is trying to write something and whether the app i certified, Apple approved, previous was and now isn't, etc. It really gives me "context" in which to have a basis for deciding whether I want to allow the app to take action or not. I'm not saying this to recommend it or not, but glad that they went in this direction to give a maximum of informations to help the user take action.

 

[NaOH]

Did you make a comment or reply, because if so I can't find it in your reply (seems like you only reposted the article).

Yeah, I think something went weird when I tried to reply the first time.
My proper reply seems to be further down the page.

 

[twistedpixel8]

Surely this should be the default position for any user regardless of the exploit or not.

It shouldn’t even be a feature. How lazy do you have to be if you can’t double click an archive?!

 

[Justanotherfanboy]

His snarky “thanks Apple!” comment seemed a bit unprofessional for a security researcher.
Surely he must be aware that all tech companies don’t try to have security holes... & if none existed whatsoever, he’d be out of a job.

 

[MrGimper]

I only came here to doff my cap for the use of the word "hoodwinks"

 

[thisisnotmyname]

I’d think it wouldn’t necessarily help. My understanding is all antivirus apps do is scan files for known virus signatures.

It’d help against anything from a script-kiddie, but so long as the person who did this actually wrote their own malicious app rather than relying on something preexisting, then there’d be nothing for the antivirus app to tell you was definitely dangerous.

It could always tell you nobody had verified the program was actually safe, I guess, but my antivirus on Windows at work tells me that a lot and I always ignore it. I’d guess with AV being so uncommon on macOS, the library of apps it would recognize as definitely safe would be even smaller.

Some are based upon signatures, others based upon heuristics. Heuristic based anti-virus can catch previously unknown viruses.

 

[Porco]

I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.

 

[HBX]

Meh, never used Safari, never will. Opera is great on MacOS.

 

[iapplelove]

Mine was checked. Now it’s not.

Thanks!

 

[Darmok N Jalad]

Thanks for the news. I disabled it for both users on the iMac.

I have always turned this option off for any mac I worked with. It should never have been a thing, and certainly never the default.

Yeah, especially zip files. That extension has been the germ donkey of the tech world for as long as I can remember.

 

[NaOH]

Meh, never used Safari, never will. Opera is great on MacOS.

Come to think of it. Opera is my current go-to browser for downloading stuff. Mainly because it lets me set the default download behaviour to ask me which folder to save the download in.

Safari doesn't let me do that without right-clicking/option-clicking on the download link. I guess that's down to Apple's insistence that people shouldn't need to have a folder structure.

 

[luvbug]

Similar to the Mail preference to "Prohibit loading remote content", I always have the "Automatically open safe files" turned off. This is an area where I think Apple should have an install-time option to select among a couple security-level profiles like "I'm lazy" (wide open), "Convenience" (middling), and "Protect and defend" (reasonably strict).

 

[NaOH]

Thanks for the news. I disabled it for both users on the iMac.



Yeah, especially zip files. That extension has been the germ donkey of the tech world for as long as I can remember.

Indeed. A zip file could contain anything.

 

[coolfactor]

Thanks for the news. I disabled it for both users on the iMac.



Yeah, especially zip files. That extension has been the germ donkey of the tech world for as long as I can remember.

You nailed it. Zip files should not be on the list of "safe" files!

 

[justperry]

Indeed. A zip file could contain anything.

You nailed it. Zip files should not be on the list of "safe" files!

Don't forget RAR files.

 

[CarlJ]

The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user's filesystem.

TIL there are people who have the option for this enabled?!? First thing I turned off when it first appeared. Zip files will open when I decide and not before, TYVM.

 

[thespyder]

I'm not convinced it's that bad. At one point the article admits it's only older versions of safari:

While recent versions of Safari will prompt the user before launching an the application that has been registered to handle custom URL requests, older version of Safari (e.g default install on El Capitan) do not!

Safari 11 is distributed as an update to that OS, although 12 won't be, but (imo) most users will be running an updated Safari. We're really only talking about the percentage of the user base who never runs software update and they likely have easier-to-exploit security vulnerabilities than this.

He's sort of right about gatekeeper, I'm not familiar with how long Apple takes to revoke malicious developer certificates, but now we're talking about the percentage of users who both don't run the latest Safari and accept all prompts put in front of them.

I'm a software developer so I'm clearly biased but most mac users I know wouldn't be infected by this attack.