News Centre

How Opening Safari Could Have Hacked Your Apple Device

Article by Diogo Correa
November 25, 2018


apple - Tech Patrol

Safari comes standard with every single Apple device that you own, it’s apples very own go-to browser. Earlier this week the DropBox team released details of three critical vulnerabilities in Apple macOS. Throughout this article, we will demonstrate how the vulnerabilities were discovered and what you can do to make sure that you or your company are protected. 

The reported vulnerabilities were originally discovered by Syndis, a cybersecurity firm that has been hired by Dropbox to conduct simulated penetration testing attacks as Red Team on the company’s IT infrastructure, including Apple software used by Dropbox employees.

Dropbox did the responsible thing and disclosed to Apple’s security team in February this year, which were then patched by Apple after one month from initial discovery within their March security updates.

According to DropBox, the vulnerabilities discovered by Syndis didn’t just affect its macOS fleet but also affected all Safari users running the latest version of the web browser and operating system at the time.

list of the three reported (then-zero-day) vulnerabilities:

  1. The first flaw (CVE-2017-13890) that resided in CoreTypes component of macOS allowed Safari web browser to automatically download and mount a disk image on visitors’ system through a maliciously crafted web page.
  2. The second flaw (CVE-2018-4176) resided in the way Disk Images handled .bundle files, which are applications packaged as directories. Exploiting the flaw could have allowed an attacker to launch a malicious application from mounted disk using a bootable volume utility called bless and its –open folder argument.
  3. The third vulnerability (CVE-2018-4175) involved a bypass of macOS Gatekeeper anti-malware, allowing a maliciously crafted application to bypass code signing enforcement and execute a modified version of Terminal app leading to arbitrary commands execution.





How did this vulnerability work?

The researchers, acting like black hat hackers, were able to create a two-stage attack by chaining together all the three vulnerabilities to take control of a Mac computer just by convincing a victim into visiting a malicious web page with Safari.

“The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition, it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/ without prompt,” DropBox says in its blog post.

“The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt.”


What do I need to do?

Even though Apple released security updates on March 29 that included the security fixes for the vulnerabilities mentioned in this article. We still have come across devices that are still exposed and we want to bring awareness to this as it has not been a broad topic in the media and users are still being hacked. If you’re reaching this please make sure that you install the latest monthly security updates in order to protect your systems against any threat, especially company devices that usually don’t receive the necessary updates.




Other Articles You May Enjoy:



Subscribe For The Latest In Technology

Other Posts You May Like



Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.


Tech Patrol PTY LTD

Microsoft Teams Becomes The Most Used Business Collaboration App in The World

TECH PATROL - Accounting

The 4 Accounting Pillars for Digital Transformation

tech Patrol - Managed IT Services

5 Reasons Accounting Firms Should Outsource IT


Australia’s Best EOFY Device Discounts of 2019: Best Vendors, Clearance Prices!

White Paper

Enjoy this free eBook

Tech Patrol - Microsoft Office 365

White Paper (Why businesses Are Migrating to Cloud)

  • This field is for validation purposes and should be left unchanged.
Scroll to Top