When performing a cyber attack simulation, Dropbox and security partner Syndis discovered three zero Day Apple exploits. Dropbox frequently performs cyber attack simulations in order to assess the security of their systems, and apply any changes needed to improve security. The security team at Dropbox have reported that they spend significant resources on security, both preventing breaches and detecting breaches.
Dropbox’s security partner Syndis were the ones who discovered these three zero-day vulnerabilities. A description of the vulnerabilities is below.
- CoreTypes.bundle on the MacOS lists items that are safe to open in Safari. Self-mounting images were incorrectly included in CoreTypes and hence could be opened by the web browser. This means an attacker to coax someone into visiting a malicious web page and the disk would be mounted on their computer.
- An attacker can cause a particular folder to open when a self-mounting image is present on the computer by using a bootable volume function named Bless, causing the application to launch. The application would launch, however, the MacOS Gatekeeper would block it from automatically executing.
- Syndis then found a way to bypass the Gatekeeper by modifying Info.plist within the Terminal.app.
Syndis managed to show that simply by visiting a malicious website, an application could download and execute on a mac. They used a calculator application in their demonstration and were successful at launching it and bypassing the Gatekeeper.
These vulnerabilities were classes as critical because they allow attackers to gain access to a computer and control it remotely.
Apple was notified about the vulnerabilities found by Syndis on February 19 of this year and released a fix on March 29, 2018. It is expected that most Mac users are now protected from these vulnerabilities by updating their OS. If you have not updated your software since February, we recommend you do so as to better protect yourself.