We Are Segment’s CEO research activity, a Cyber Security society of the Interlogica group, never stops. Just yesterday, Filippo Cavallarin published a detailed technical advisory on a recently discovered weak point in the Mac OS system.

The bug of the DOM based Cross site scripting (XSS) kind, concerns the Apple Quarantine feature. Following the standard procedure, as explained in a Security Week article, “When a file is downloaded from the Internet, macOS places it in “quarantine” by assigning it the com.apple.quarantine extended attribute. This ensures that the user is alerted of the potential security risks before the file is executed”.

However, it appears that this Mac OS X weakness allows the cyber criminal to bypass the quarantine by arbitrarily launching the Javascript code without any kind of restriction.

MAC OS X VULNERABILITY

The bug concerns macOS 10.12, 10.11 and 10.10 editions and, possibly, even older versions of the operating system. Apple was warned about this issue of the 27th of June 2017, through the SecuriTeam Secure Disclosure (SSD) of Beyond Security.

HOW THIS VULNERABILITY CAN BE EXPLOITED

Filippo Cavallarin says that this weakness is contained in a html file called rhtmlPlayer.html which can be found inside the /System/Library/CoreServices folder, a part of the MAC OS X core and allows a DOM Based XSS to run arbitrary javascript commands.

This html file contains two DOM XSS based vulnerabilities  that the cracker can exploits through URI (Uniform Resource Identifier) components.

Segment’s CEO also published a tutorial video explaining how a cyber criminal can use this buck, stealing sensible data to the unlucky user.

THE SOLUTION

Apple solved this issue with the release of Mac OS X High Sierra, but did not mention this problem in the changelog.

Segment is part of the Interlogica group and offers many services, from consultations to advanced technology training in the branch of IT security.