Dropbox Red Team Discovered CVE-2017-13890 Zero-Day in Apple's Safari
NEWS

Dropbox Red Team Discovered CVE-2017-13890 Zero-Day in Apple’s Safari

Dropbox’s Offensive Security red team has discovered a set of zero-day vulnerabilities (later assigned CVE-2017-13890) in Apple’s Safari browser. The research team came across the flaws while testing the way Dropbox and its cloud storage system responded to cyberattacks. More precisely, the zero-days were discovered by Syndis, a third-party partner of Dropbox.

Our third-party partner, Syndis, found vulnerabilities in Apple software we use at Dropbox that didn’t just affect our macOS fleet, it affected all Safari users running the latest version at the time—a so-called zero-day vulnerability), the company explained.

Related:
If vulnerabilities have been exposed in any operating system, the system becomes susceptible to malware attacks. macOS is not an exception.
5 macOS Vulnerabilities that Shouldn’t Be Overlooked

CVE-2017-13890: Zero-day Vulnerabilities in Apple’s Safari Discovered

If the vulnerabilities are chained together, they can enable an attacker to run arbitrary code on the targeted system just by tricking the victim into visiting a malicious web page.

It should be noted that Dropbox’s red team carried out a simulated attack with the help of their partners from Syndis. “Identifying new ways to break into Dropbox was in scope for this engagement, but even if none were found, we were going to simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team),” said Dropbox’s head of security Chris Evans.

But the team did not have to simulate anything after all, as Syndis came across a set of exploitable zero-day flaws in Apple’s Safari. The zero-days impact macOS before 10.13.4 and allow threat actors to run arbitrary code on a vulnerable system just by visiting a maliciously crafted page.

Of course, the researchers notified Apple of the discovered issues, and Apple quickly acknowledged their report. Apple released fixes for the issues in about a month, which can be considered a good job.

The vulnerabilities were assigned the CVE-2017-13890 identifier. Here’s how Apple described them:

Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: Processing a maliciously crafted webpage may result in the mounting of a disk image
Description: A logic issue was addressed with improved restrictions.

Related:
Also known as script spoofing attack, the IDN attack allows threat actors to deceive online users by exploiting the fact that many characters look alike.
CVE-2018-4277: Apple Vulnerability Allows for IDN Homograph Attack

The research team considers the pentest a success for all interested parties – Dropbox, Apple, and for online users in generals. Syndis went above and beyond in finding this exploit chain during our engagement, and using it during the attack simulation exercise allowed the researchers to test the readiness within the company against attacks using zero-day vulnerabilities. This is an excellent example of the security community becoming stronger because of good actors doing the right thing, Dropbox concluded.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...