Here’s how hackers can install malware on your Mac through Safari

Here’s how hackers can install malware on your Mac through Safari


Lucky 58. The latest Safari Technology Preview adds tab favicons!
Apple can’t protect you from everything.
Photo: Apple

You might consider Safari to be the safest web browser for macOS, but one security researcher has proven it’s not completely bulletproof.

Patrick Wardle has demonstrated how hackers can remotely infect a Mac with malicious software using a Safari vulnerability. Apple’s built-in protections can do nothing to stop it.

As Apple machines have risen in popularity, an increase in attacks has followed. The days when you could use a Mac without the fear of it being infected are long gone. Wardle’s exploit proves that simply browsing the web in Safari lead to serious problems.

Safari exploit leaves users open to attack

In a lengthy explainer, Wardle reveals how an attacker can take advantage of the way in which Safari processes document and URL handlers to inject malware onto a Mac. It starts when a user visits a malicious website.

“Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application,” Wardle explains. “If the Mac user is using Safari, the archive will be automatically unzipped, as Apple thinks it’s wise to automatically open “safe” files.”

“This fact is paramount, as it means the malicious application (vs. just a compressed zip archive) will now be on the user’s filesystem, which will trigger the registration of any custom URL scheme handlers! Thanks Apple!”

The malicious website can then run code that causes macOS to launch the malicious application. A popup will ask the user whether they wish to “Allow” or “Cancel” the process, but the text in it is controlled by the attacker and can be deceiving.

Safari malware popup
Don’t click “Allow” unless you’re sure it’s safe to do so.
Photo: Patrick Wardle

macOS can’t protect you

Apple’s built-in defenses in macOS can’t protect against this kind of attack. It would require a change in the way in which Safari manages document and URL handlers. Apple could revoke a malicious app’s certificate, but by the time the app is identified, it will be too late for those who have already installed it.

There is something you can do, however. Preventing Safari from opening “safe” files stops this attack in its tracks. All you need to do is select Preferences… in Safari’s menu bar, then uncheck the option to Open “safe” files after downloading.

Via: MacRumors


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.