Vulnerability details
Advisory: SB2018090621 - Spoofing attack in Apple Safari
Vulnerable component: Apple Safari
CVE-ID:
CVSSv3 score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C
CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Description:
The vulnerability allows a remote attacker to conduct spoofing attack.
The weakness exists due to the way macOS processes URI handlers with enabled "Open Safe Files" setting in Safari browser. A remote attacker can create a specially crafted web page, trick the victim into clicking on a spoof dialog box and force unauthorized downloading of malicious file (e.g. ZIP-archive). Once downloaded, the archive will be automatically extracted.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being exploited in the wild by the WindShift APT actor against government organizations in the Middle East.