Remote macOS exploit using custom URL schemes demonstrated by security researcher

Posted:
in macOS edited September 2018
Researchers demoed a recently discovered exploit in macOS that allows malware to be remotely installed on a target machine through the use of custom URL handlers in Safari.

Windshift
Source: Objective-See


The WINDSHIFT APT deals largely with "Do you want to allow" popups familiar to any macOS user, explains security researcher Patrick Wardle. These document handlers are frequently seen in use when clicking on an App Store link or PDF, which asks users for permission before opening the link or file in a registered app like the Mac App Store or Preview.

Custom URL handlers, and similarly document handlers, are basically a way for an application to notify the OS they are able to handle certain document types. For example, VLC advertises the ability to accept many different video formats, while Preview does the same for a wide array of different file types.

It is through these handlers that the exploit exists.

Wardle gives an excellent in-depth explanation that many developers will appreciate, but the basic method for this exploit is as follows.

Exploit process

First, the malware is uploaded to a malicious website. When visited, the malicious .zip file is downloaded by macOS, which automatically unzips it. Apple allows the unzipping of files it deems "safe," which includes this piece of malware if a user downloads it via Safari.

Once the file is unzipped, the malware application is able to register its custom URL scheme handler with the file system. Code in the malicious webpage can then load or "browse" to the custom URL, Wardle says, triggering macOS to look up the just installed URL handler and launch the malicious app.

While Safari does prompt the user to Cancel or Allow the operation to run, developers are able to change the application text to something designed to be misleading. Instead of saying "Do you want to allow Safari to open scary malware application?" it could say "Do you want to allow Safari to open Preview?"

Then the OS attempts to launch the malware that is sitting in your downloads folder.

Malware exploit process

Prevention

Several preventative measures are built into macOS, though they aren't necessarily effective in this instance. The first barrier is requiring the user to click Allow on the popup in Safari, but the custom text makes it easy to craft a seemingly mundane and trustworthy message.

The same goes for File Quarantine. The safety mechanism will ask the user for confirmation before installing the software, but here, too, the name can be changed.

GateKeeper is also most likely bypassed as explained by Wardle.

"In its default configuration, Gatekeeper allows signed applications," he writes. "The malware used by the WINDSHIFT APT group was signed (as is most Mac malware these days). So Gatekeeper doesn't even come into play!"

Apple can revoke an app's signature once it is discovered to be used for malware, but that doesn't help for those who were already tricked into running the application.

Users who are most worried about this exploit have an easy solution if they'd like to play it safe: just turn off automatic unzipping of safe files.

In Preferences, navigate to Safari > General, then uncheck Open "safe" files after downloading.

Technically, macOS is doing everything correctly, but it is a series of innocuous actions that can allow a piece of malware to be installed unbeknownst to the user. Apple could elect to make some changes to the process in future updates, such as automatically preventing files from unzipping by default.
blkhawk105macplusplus

Comments

  • Reply 1 of 10
    Technically, macOS is doing everything correctly, but it is a series of innocuous actions that can allow a piece of malware to be installed unbeknownst to the user. Apple could elect to make some changes to the process in future updates, such as automatically preventing files from unzipping by default.
    But by all means, let’s make a back door to the encryption. It won’t weaken anything at all. What could possibly go wrong. 
    irelandracerhomie3longpathSpamSandwich
  • Reply 2 of 10
    I think the OS should not register those handlers for applications in the Download folder. It would be up to the user to move these elsewhere, in the Applications or other folders, where the handlers could registered. I am not suggesting a Windows installer like gaz plant but hey, too easy is not good either. :)
    svanstromascii
  • Reply 3 of 10

    Exploit process

    First, the malware is uploaded to a malicious website. When visited, the malicious .zip file is downloaded by macOS, which automatically unzips it. Apple allows the unzipping of files it deems "safe," which includes this piece of malware if a user downloads it via Safari.

    This is just plain wrong. “Open safe files” is an option, not a default action and that option comes unchecked since many versions of macOS.

    longpathasdasd
  • Reply 4 of 10
    dewmedewme Posts: 1,988member
    So yet again we've confirmed what we've long suspected ... humans are almost always the weakest link in the security chain.

    Surprised?
    svanstromlongpathSpamSandwich
  • Reply 5 of 10
    dewme said:
    So yet again we've confirmed what we've long suspected ... humans are almost always the weakest link in the security chain.

    Surprised?
    Humans are the strongest link in overcoming security measures. 

    Blame John Von Neumann.

    Data and code are the same things. What we may see as a computer program is just data to other parts of the system. Or what we think of as passive data can be seen as executable code to another piece of data acting as an interpreter. 
  • Reply 6 of 10
    lkrupplkrupp Posts: 6,782member
    Headline makes it sound like your Mac can be compromised remotely without the user doing anything. Inexperienced user’s hearts start pounding. Read on. Oh, option to “automatically” open downloaded apps needs to be enabled, an option that any user with any experience at all will have made sure was disabled. Then we see the little flow chart with the “*with user permission” footnote.

    Okay, I don’t need to do anything on my Mac. On the other hand I constantly see posts in the Apple discussion forums that start out with “I clicked on something and now my Mac... (fill in the blank). They don’t even remember what they did but it’s always Apple’s fault they got burned. Mac converts coming from Windows are especially vulnerable. Anything, I mean anything, that happens to their Mac MUST be a virus because that’s the mentality they migrated from. A glitch? Must be a virus. A stall? Must be a virus. Email got “hacked” because their password was easy to guess? Must be a virus.
    edited September 2018
  • Reply 7 of 10
    dewmedewme Posts: 1,988member
    larryjw said:
    dewme said:
    So yet again we've confirmed what we've long suspected ... humans are almost always the weakest link in the security chain.

    Surprised?
    Humans are the strongest link in overcoming security measures. 

    Blame John Von Neumann.

    Data and code are the same things. What we may see as a computer program is just data to other parts of the system. Or what we think of as passive data can be seen as executable code to another piece of data acting as an interpreter. 
    The Von Neumann architectural model certainly creates challenges by commingling of code and data in memory, but exploiting basic human weaknesses, cognitive biases, and gullibility has been a security issue well before there were even computers. I truly believe it would be worthwhile, in the name of providing a more holistic perspective, for computer engineering curriculums to include a couple or few courses in human psychology. This would be especially true for students interested in cybersecurity careers. It's not only intended to enlighten engineers about the psychology of the users of the systems the engineers design, but also to address the psychology of the engineers who design the systems. Every engineer and scientist who has ever worked on the systems that are now found to be "breakable" under attacks of various intensity all exhibited the same cognitive biases that all humans exhibit. Just getting something to function correctly on the happy path was once good enough. Imagining that someone would try to purposely break your wonderful technology or that your system was anything less than perfect was just crazy talk. But now we all live in crazy land. Everything that can be broken will be broken.
  • Reply 8 of 10
    asdasdasdasd Posts: 5,261member
    This isn’t really an exploit unless the user goes out of his way to ignore warnings. Possibly the only thing that needs fo change here is the custom text. 
  • Reply 9 of 10
    MplsPMplsP Posts: 1,202member
    asdasd said:
    This isn’t really an exploit unless the user goes out of his way to ignore warnings. Possibly the only thing that needs fo change here is the custom text. 
    The problem is, the malware can change the message so OS X is asking to open something you expect, like Preview, so yes you are clicking, but you aren’t clicking On what you think you are. 
  • Reply 10 of 10

    Exploit process

    First, the malware is uploaded to a malicious website. When visited, the malicious .zip file is downloaded by macOS, which automatically unzips it. Apple allows the unzipping of files it deems "safe," which includes this piece of malware if a user downloads it via Safari.

    This is just plain wrong. “Open safe files” is an option, not a default action and that option comes unchecked since many versions of macOS.

    Not exactly. I am on macOS Sierra 10.12.6 and the option to automatically unzip 'safe' files was enabled by default. As a relatively new Mac user, it was driving me crazy when I was trying to download my Google Drive files after zipping them, until I figured out the option and turned it off. Now, it seems there's another reason not to enable that option, if it's still the default in newer versions of macOS.
Sign In or Register to comment.