Zero-day vulnerability in Apple Safari

Spoofing attack

Not patched

Vulnerability in Apple Safari was used to bypass browser security restrictions and upload malware to vulnerable systems, according to DarkMatter LLC report.

The attack is believed to be carried out by the WindShift APT actor against government organizations in the Middle East.

Vulnerability details

Advisory: SB2018090621 - Spoofing attack in Apple Safari

Vulnerable component: Apple Safari

CVE-ID:

CVSSv3 score: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Description:

The vulnerability allows a remote attacker to conduct spoofing attack.

The weakness exists due to the way macOS processes URI handlers with enabled "Open Safe Files" setting in Safari browser. A remote attacker can create a specially crafted web page, trick the victim into clicking on a spoof dialog box and force unauthorized downloading of malicious file (e.g. ZIP-archive). Once downloaded, the archive will be automatically extracted.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability is being exploited in the wild by the WindShift APT actor against government organizations in the Middle East.


Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.