Dropbox’s Offensive Security red team has discovered a set of zero-day vulnerabilities (later assigned CVE-2017-13890) in Apple’s Safari browser. The research team came across the flaws while testing the way Dropbox and its cloud storage system responded to cyberattacks. More precisely, the zero-days were discovered by Syndis, a third-party partner of Dropbox.
Our third-party partner, Syndis, found vulnerabilities in Apple software we use at Dropbox that didn’t just affect our macOS fleet, it affected all Safari users running the latest version at the time—a so-called zero-day vulnerability), the company explained.
CVE-2017-13890: Zero-day Vulnerabilities in Apple’s Safari Discovered
If the vulnerabilities are chained together, they can enable an attacker to run arbitrary code on the targeted system just by tricking the victim into visiting a malicious web page.
It should be noted that Dropbox’s red team carried out a simulated attack with the help of their partners from Syndis. “Identifying new ways to break into Dropbox was in scope for this engagement, but even if none were found, we were going to simulate the effects of a breach by just planting malware ourselves (discretely, of course, so as not to tip off the detection and response team),” said Dropbox’s head of security Chris Evans.
But the team did not have to simulate anything after all, as Syndis came across a set of exploitable zero-day flaws in Apple’s Safari. The zero-days impact macOS before 10.13.4 and allow threat actors to run arbitrary code on a vulnerable system just by visiting a maliciously crafted page.
Of course, the researchers notified Apple of the discovered issues, and Apple quickly acknowledged their report. Apple released fixes for the issues in about a month, which can be considered a good job.
The vulnerabilities were assigned the CVE-2017-13890 identifier. Here’s how Apple described them:
Available for: OS X El Capitan 10.11.6, macOS Sierra 10.12.6
Impact: Processing a maliciously crafted webpage may result in the mounting of a disk image
Description: A logic issue was addressed with improved restrictions.
The research team considers the pentest a success for all interested parties – Dropbox, Apple, and for online users in generals. Syndis went above and beyond in finding this exploit chain during our engagement, and using it during the attack simulation exercise allowed the researchers to test the readiness within the company against attacks using zero-day vulnerabilities. This is an excellent example of the security community becoming stronger because of good actors doing the right thing, Dropbox concluded.