Zero-day vulnerability in Apple Safari

Spoofing attack

Not patched

Vulnerability in Apple Safari was used to bypass browser security restrictions and upload malware to vulnerable systems, according to DarkMatter LLC report.

The attack is believed to be carried out by the WindShift APT actor against government organizations in the Middle East.

Vulnerability details

Advisory: SB2018090621 - Spoofing attack in Apple Safari

Vulnerable component: Apple Safari

CVE-ID:

CVSSv3 score: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Description:

The vulnerability allows a remote attacker to conduct spoofing attack.

The weakness exists due to the way macOS processes URI handlers with enabled "Open Safe Files" setting in Safari browser. A remote attacker can create a specially crafted web page, trick the victim into clicking on a spoof dialog box and force unauthorized downloading of malicious file (e.g. ZIP-archive). Once downloaded, the archive will be automatically extracted.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Note: the vulnerability is being exploited in the wild by the WindShift APT actor against government organizations in the Middle East.


External links:

https://objective-see.com/blog/blog_0x38.html

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.