Casa > Cyber ​​Notizie > Dropbox Red Team Discovered CVE-2017-13890 Zero-Day in Apple’s Safari
CYBER NEWS

Dropbox Red Team Scoperto CVE-2.017-13.890 Zero-Day in Safari di Apple

squadra rossa Offensive Security di Dropbox ha scoperto una serie di vulnerabilità zero-day (successivamente assegnato CVE-2.017-13.890) nel browser Safari di Apple. Il gruppo di ricerca si è imbattuto i difetti durante il test il modo in cui Dropbox e il suo sistema di cloud storage risposto a attacchi informatici. Più precisamente, the zero-days were discovered by Syndis, a third-party partner of Dropbox.

Our third-party partner, Syndis, found vulnerabilities in Apple software we use at Dropbox that didn’t just affect our macOS fleet, it affected all Safari users running the latest version at the time—a so-called zero-day vulnerability), l'azienda ha spiegato.

Correlata: [wplinkpreview url =”https://sensorstechforum.com/5-macos-vulnerabilities-shouldnt-overlooked/”]5 MacOS vulnerabilità che non deve essere trascurato

CVE-2017-13890: Zero-day Vulnerabilities in Apple’s Safari Discovered

If the vulnerabilities are chained together, they can enable an attacker to run arbitrary code on the targeted system just by tricking the victim into visiting a malicious web page.

It should be noted that Dropbox’s red team carried out a simulated attack with the help of their partners from Syndis. “Identifying new ways to break into Dropbox was in scope for this engagement, but even if none were found, we were going to simulate the effects of a breach by just planting malware ourselves (discretely, naturalmente, so as not to tip off the detection and response team),” said Dropbox’s head of security Chris Evans.

But the team did not have to simulate anything after all, as Syndis came across a set of exploitable zero-day flaws in Apple’s Safari. The zero-days impact macOS before 10.13.4 and allow threat actors to run arbitrary code on a vulnerable system just by visiting a maliciously crafted page.

Naturalmente, the researchers notified Apple of the discovered issues, and Apple quickly acknowledged their report. Apple released fixes for the issues in about a month, which can be considered a good job.

The vulnerabilities were assigned the CVE-2017-13890 identifier. Here’s how Apple described them:

Available for: OS X El Capitan 10.11.6, Macos Sierra 10.12.6
urto: Processing a maliciously crafted webpage may result in the mounting of a disk image
Descrizione: A logic issue was addressed with improved restrictions.

Correlata: [wplinkpreview url =”https://sensorstechforum.com/cve-2018-4277-apple-idn-homograph-attack/”]CVE-2018-4277: Vulnerabilità Apple permette di IDN omografi Attacco

The research team considers the pentest a success for all interested parties – Dropbox, Mela, and for online users in generals. Syndis went above and beyond in finding this exploit chain during our engagement, and using it during the attack simulation exercise allowed the researchers to test the readiness within the company against attacks using zero-day vulnerabilities. This is an excellent example of the security community becoming stronger because of good actors doing the right thing, Dropbox concluded.

Milena Dimitrova

Milena Dimitrova

Uno scrittore ispirato e un gestore di contenuti che è stato con SensorsTechForum dall'inizio del progetto. Un professionista con 10+ anni di esperienza nella creazione di contenuti accattivanti. Incentrato sulla privacy degli utenti e lo sviluppo di malware, crede fortemente in un mondo in cui la sicurezza informatica gioca un ruolo centrale. Se il buon senso non ha senso, lei sarà lì per prendere appunti. Quelle note possono poi trasformarsi in articoli! Seguire Milena @Milenyim

Altri messaggi

Seguimi:
Cinguettio

Lascio un commento

Il tuo indirizzo email non verrà pubblicato. I campi obbligatori sono contrassegnati *

Condividi su Facebook Quota
Loading ...
Condividi su Twitter Tweet
Loading ...
Condividi su Google Plus Quota
Loading ...
Condividi su Linkedin Quota
Loading ...
Condividi su Digg Quota
Condividi su Reddit Quota
Loading ...
Condividi su Stumbleupon Quota
Loading ...